Qilin ransomware gang claims breach of Tulsa International Airport, posts alleged data samples

Russian-speaking ransomware operators known as Qilin have claimed responsibility for a cyber intrusion at Tulsa International Airport in Oklahoma, alleging the theft of sensitive internal data and publishing a set of documents as proof on their dark web leak site. The listing appeared Friday, marking the airline sector’s first reported ransomware claim of 2026.

The group posted 18 files it says were taken from the airport’s internal systems. An examination of the material shows what appears to be a broad cross-section of sensitive records, including executive-level email communications, correspondence with high-level banking officials outside the airport, and copies of personal identification documents attributed to employees, such as driver’s licenses and a U.S. passport.

The cache also contains internal financial and operational records. Files include annual budget and revenue spreadsheets, confidentiality and non-disclosure agreements, governance meeting minutes, insurance documentation, banking communications, tenant databases, vendor revenue sheets, telehealth-related reports, and court case documents. The documents appear to span a period from roughly 2022 through 2025, suggesting relatively recent data.

The attackers have not disclosed the total volume of data allegedly taken, and there has been no public confirmation of the authenticity of the files or whether passenger information is involved. Tulsa International Airport had not issued an official statement on the claimed intrusion as of publication.

Tulsa International Airport is a mid-size commercial airport serving northeastern Oklahoma. Located just outside Tulsa’s metropolitan area, which is home to nearly one million residents, the facility handled more than 3.2 million passengers in 2024. It supports service to more than 20 domestic destinations and hosts an average of hundreds of commercial, general aviation, and military flight movements each day. Major carriers operating at the airport include Southwest, American, Delta, and United.

Beyond commercial passenger traffic, the airport plays a significant role in regional aviation and defense. It hosts the Oklahoma Air National Guard’s 138th Fighter Wing, supports major cargo operations through FedEx Express and UPS, and serves as the global headquarters for American Airlines’ maintenance and engineering operations. The broader airport ecosystem supports tens of thousands of jobs and generates billions of dollars in annual economic impact for the region.

Qilin emerged roughly four years ago and has since grown into one of the most prolific ransomware threats. The group operates under a ransomware-as-a-service model, providing malware and infrastructure to affiliates in exchange for a share of ransom payments. It primarily targets manufacturers, financial institutions, retailers, healthcare organizations, and government entities.

The gang has claimed responsibility for breaches at more than 1,000 organizations in 2025 and has continued its activity into 2026 with dozens of additional victims. Affiliates associated with Qilin are not publicly identified, and the group has been linked to alliances with other Russia-linked ransomware operations.

It remains unclear whether the alleged breach has disrupted airport operations or affected flight activity. The claim adds to a growing list of cyber incidents affecting the global aviation sector, which has faced repeated targeting by ransomware groups over the past year.