Ransomware gang INC claims recent attack on South African Airways

Ransomware gang INC has today come forward to claim the recent attack on South African Airways. Today’s announcement labels the first leak as “Part 1,” suggesting more data will be leaked in the coming days/weeks if ransom demands aren’t met.

South African Airways issued a statement on May 6, 2025, confirming it had been hit by a cyber attack on May 3, 2025. The attack “temporarily disrupted access to the airline’s website, mobile application, and several internal operational systems” but these were restored later that day.

SAA hasn’t confirmed INC’s claims, the nature of the attack, or whether or not a ransom was demanded/paid. When Comparitech contacted SAA for further information, we were provided with the following statement:

An expert digital forensic investigation is underway to determine the incident’s full scope, root cause, and if any personal data, such as passport, ID, and credit card information, was accessed or exfiltrated. Presently, there is no evidence of compromised customer data or SAA’s financial management systems. Should any evidence of data compromise be found, we will promptly notify affected individuals and corporations directly, in line with regulatory obligations.
 

As reported before, SAA infrastructure is classified as a National Key Point, the State Security Agency is also involved in the investigation and advisory on future mitigatory interventions.
 

SAA remains committed to the security and integrity of our business information systems and the protection of customer data. We have activated a project to further strengthen our cybersecurity defences and to mitigate possible future incidents.”

On average, the data breaches attributed to INC involve around 90,000 individual records. So while SAA continues its investigations, we highly recommend customers and employees remain vigilant for any potential phishing messages and unauthorized activity on their accounts.

Who is INC?

INC first started adding victims to its data leak site in August 2023. Since then, we’ve tracked 91 confirmed attacks and 211 unconfirmed attacks via this group.

South African Airways isn’t the first airline to have been targeted by INC. In January 2025, INC posted Air Europa (Spain) to its data leak site, alleging to have lots of client data in its hands. Shortly after, Air Europa started notifying customers that their data may have been posted online, but linked this to a previous attack that had taken place in February 2024.

In the US, Oceanair, Inc. started notifying 397 people of a data breach following an attack in May 2024. Names, Social Security numbers, and financial information were affected. INC also claimed this attack, publishing screenshots of a number of passports within its proof pack. The attack, like SAA’s, also resulted in system disruption.

INC, like most ransomware gangs today, employs a double-extortion technique. This allows it to demand two ransoms: 1) for decrypted systems and 2) for deleting stolen data.

So far this year, INC has been confirmed to be the group behind 11 confirmed attacks and has posted a further 78 victims to its data leak site which remain unconfirmed at this time.

Ransomware attacks on the transport sector

So far this year, we’ve seen 10 confirmed attacks and 135 unconfirmed attacks on the transport sector. These attacks have impacted organizations all over the world with some of the most recent (all confirmed in April 2025) being:

• Runtec Co., Ltd. (Japan) – Hit by Lynx with 500 GB allegedly stolen. The attack cause significant delays to fresh deliveries for several days.
• Kintetsu World Express, Inc. (Japan) – The attack (which was carried out by unknown hackers) caused system failure and disruption to operations.
• Eu-Rec GmbH (Germany) – After being hit by SafePay, it was estimated that 200 people had their data impacted in this breach. Eu-Rec also filed for bankruptcy shortly after, citing the ransomware attack and a decline in workload as the reasons.

Meanwhile, US logistics company Genpro, Inc., recently started notifying nearly 1,400 people of a data breach following an attack in September 2024. This was claimed by BlackSuit.

Our recent report found that it takes transport companies (in the US), 3.8 months on average to report a data breach following a ransomware attack. This was slightly below the overall average of 4.16 months.

About South African Airways

South African Airways began operations in February 1934. Today, as South Africa’s largest airline, it operates nearly 5,000 flights a month, covering over 700 destinations across the globe.