Hacker claims theft of 300 GB of passenger data from Uzbekistan Airways

A hacker is claiming responsibility for breaching Uzbekistan Airways and stealing hundreds of thousands of sensitive records, including the personal information of U.S. government employees. The alleged data cache, amounting to 300 gigabytes, contains email addresses, scanned passports and other identifying documents from more than 40 countries, according to data samples reviewed.

The hacker, who goes by the alias ByteToBreach and claims to be from the Swiss Alps, advertised the trove Thursday on a dark web forum known for leaks and cybercrime activity. The samples included scans of 75 passports from countries such as the United States, Russia, Israel, the United Kingdom and South Korea, as well as partial credit card data and credentials for airline systems. A larger sample contained 2,626 images of passports, IDs, birth certificates and marriage licenses, some belonging to children.

A spreadsheet revealed data from 379,603 members of Uzbekistan Airways’ loyalty program, exposing names, dates of birth, nationalities, phone numbers, member IDs and more. Among them were employees of several U.S. agencies, including the State Department, the Department of Energy, Immigration and Customs Enforcement, Customs and Border Protection and the Transportation Security Administration. Employees of foreign governments in Russia, Uzbekistan and the United Arab Emirates also appeared in the dataset.

To verify authenticity, reporters contacted several phone numbers found in the files. One apparent TSA employee answered using the first name listed in the leaked data and identified their position with the agency. After being informed of the exposure, the individual declined to comment and directed inquiries to the Department of Homeland Security. The department’s public affairs office did not respond to follow-up questions.

The hacker also claimed to have engaged with the airline directly, demanding payment of about $176,000 in bitcoin to prevent the sale of the data. Screenshots shared online purportedly show an Uzbekistan Airways employee acknowledging receipt of sample documents from the company’s Amazon cloud storage.

Uzbekistan Airways, however, has publicly denied any compromise. In a statement posted on its website Thursday, the airline said there was no “unauthorized access to our information systems or any compromise of personal data.” The carrier argued that the examples circulating online may have been artificially generated to create a false impression of a breach. It urged media outlets to avoid publishing “unverified information that may mislead the public and damage the airline’s business reputation.”

Cybersecurity experts caution that both hackers and companies have reasons to distort the facts in such cases. Troy Hunt, creator of the breach-notification platform Have I Been Pwned, said that while false claims of hacks do exist, organizations also sometimes deny real breaches. “The truth is always in the data,” he noted.

Several passengers whose details appeared in the files confirmed their connections to the airline. A Russian traveler provided a copy of a ticket from a June flight between Tashkent and Moscow, while a Japanese customer said they joined the airline’s loyalty program in April. Other individuals identified in the records did not respond.

The full extent of the breach or the presence of financial data has not been independently verified. Uzbekistan Airways did not respond to additional requests for comment.