On June 1, 2024, an unknown threat actor posted a dataset containing 864 employee records from Riyadh Airports Company (RAC) on a cybercrime forum, pricing the data at $290. RAC operates King Khalid International Airport (KKIA), Saudi Arabia’s second-busiest airport and a critical hub in the Kingdom’s aviation infrastructure.
Key Facts
- What864 employee records from Riyadh Airports Company sold for $290.
- WhoEmployees of the operator of King Khalid International Airport.
- Data ExposedEmployee IDs, full names, corporate emails, and mobile numbers.
- OutcomeCritical infrastructure risk; subject to NCA and PDPL oversight.
What Was Exposed
- Employee identification numbers used within RAC’s internal personnel management systems
- Full legal names of 864 employees across various operational and administrative departments
- Corporate email addresses following RAC’s organizational email naming conventions
- Personal mobile phone numbers registered to employee accounts
At first glance, 864 records priced at $290 may appear to be a minor incident compared to the multi-terabyte breaches that dominate cybersecurity headlines.
This assessment is dangerously wrong. The value of this dataset is not measured by its volume but by its target: the operator of a major international airport that serves as critical national infrastructure. Every employee record in this dataset represents a potential entry point for a far more consequential attack.
Airport operators employ personnel in uniquely sensitive roles. Among the 864 exposed employees are likely individuals responsible for air traffic management systems, baggage handling infrastructure, security screening operations, runway maintenance, fuel management, and communications systems. The combination of employee names, corporate email addresses, and personal mobile numbers provides everything needed to launch targeted spear-phishing campaigns against these individuals.
A convincing email sent to an airport IT administrator’s corporate address, combined with a follow-up text message to their personal phone creating urgency, is a well-established social engineering pattern that has compromised far more security-aware organizations than an airport operator.
The corporate email addresses reveal RAC’s email naming conventions, which can be extrapolated to identify valid email addresses for employees not included in the leaked dataset. If RAC uses a firstname.lastname@rac.sa pattern, for example, an attacker with knowledge of any RAC employee’s name from LinkedIn or other public sources can construct valid email addresses for targeted attacks.
This enumeration capability extends the effective reach of the breach far beyond the 864 records that were directly exposed.
The $290 price point is itself significant. This low pricing indicates the seller viewed the data as a commodity product-valuable enough to monetize but not rare enough to command a premium. This suggests the data may have already been sold multiple times or shared in private channels before appearing on the public forum. The actual number of adversaries who possess this data is likely substantially higher than the public listing suggests, and each purchaser acquires the same targeting capability against RAC’s workforce.
The timing of this breach is noteworthy in the context of Saudi Arabia’s aviation expansion. The Kingdom is investing hundreds of billions of dollars in aviation infrastructure, including the development of a new mega-airport in Riyadh and the expansion of existing facilities. RAC sits at the center of this transformation.
Employee data from an organization undergoing rapid growth and digital transformation is particularly valuable to threat actors, as periods of organizational change often coincide with security gaps, new system deployments, and employees who are more susceptible to social engineering because of unfamiliar processes and new colleagues.
Regulatory Analysis
This breach occurred in May-June 2024, during the transitional period before the PDPL entered full enforcement on September 14, 2024. While the transitional provisions offered organizations additional time to achieve compliance, the PDPL’s core principles were already in effect, and organizations were expected to be progressing toward full compliance. The exposure of employee personal data on a cybercrime forum would be evaluated against the security measures RAC had in place at the time, with consideration for the transitional context.
Under the now fully enforced PDPL, the employee data exposed-names, identification numbers, email addresses, and phone numbers-constitutes personal data under Article 2. The unauthorized disclosure of this data on a cybercrime forum would trigger breach notification obligations under Article 20, requiring RAC to notify SDAIA and, where the breach poses a risk of harm to individuals, to notify the affected employees.
The structured nature of the data and its appearance on a for-sale listing suggests a deliberate unauthorized access rather than an accidental exposure, which would inform SDAIA’s assessment of the severity of the incident.
RAC’s classification as a critical infrastructure operator adds regulatory weight. Aviation entities in Saudi Arabia are subject to cybersecurity requirements from the National Cybersecurity Authority (NCA), including the Essential Cybersecurity Controls. The compromise of employee data from an airport operator, even without evidence of operational system access, represents a threat to the aviation security ecosystem.
The NCA’s mandate to protect critical national infrastructure means that even a seemingly small employee data breach at an airport operator receives scrutiny disproportionate to its volume.
What Should Have Been Done
The likely attack vector-database access or HR system exploitation-points to fundamental gaps in application security and access management. HR systems containing employee records should be segmented from public-facing infrastructure, accessible only through privileged access workstations with multi-factor authentication.
Database access should be restricted to specific application service accounts with read-only permissions where appropriate, and all administrative access should be logged and monitored in real time. Web-facing HR portals, if any existed, should have been protected by web application firewalls, rate limiting, and anomaly detection to identify unauthorized data extraction.
Proactive dark web monitoring should be standard practice for any critical infrastructure operator. Threat intelligence services that continuously scan cybercrime forums, paste sites, and Telegram channels for mentions of the organization’s name, domain, or data patterns can provide early warning of data exposure.
Had RAC maintained such monitoring, the appearance of employee data on a cybercrime forum could have been detected within hours, enabling rapid response including credential rotation for affected employees, enhanced monitoring of authentication systems, and preemptive security awareness alerts to the workforce about potential spear-phishing attempts.
Employee data minimization should be a design principle for any system that stores personnel records. The question should always be asked: does this system need to store personal mobile phone numbers alongside employee IDs and email addresses?
If the legitimate business purpose can be served with fewer data elements, the additional fields should not be present. Data minimization does not prevent breaches, but it limits the damage when they occur. An employee directory containing only names and corporate email addresses is significantly less useful to a threat actor than one that also includes personal phone numbers and internal identification numbers.
864 airport employee records sold for $290 may seem like a minor data sale, but each record is a potential key to King Khalid International Airport’s operational infrastructure. In aviation security, the threat model does not distinguish between a $290 data purchase and a million-dollar intelligence operation-the social engineering attack that follows uses the same data either way. Critical infrastructure operators cannot afford to assess breach severity by record count alone.