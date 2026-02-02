Qilin ransomware gang claims breach of Tulsa International Airport data

Leaked samples include executive emails, IDs, financial and governance documents

Group is major RaaS threat, breaching 1,000+ organizations in 2025, 50+ in January 2026

Russian ransomware operators Qilin have claimed to have broken into the Tulsa International Airport and stolen an unspecified amount of sensitive company data.

A report from Cybernews says the group recently added the airport to their data leak site, and included 18 samples as proof of their claims.

The researchers analyzed the samples, finding it included C-suite emails, as well as email correspondence between executives and “high-level banking officials” outside the airport. The data also apparently includes copies of employee IDs, driver’s licenses, and passports, but also annual budget and revenue spreadsheets, confidentiality and non-disclosure agreements, telehealth reports, governance meeting minutes, insurance documents, banking communications, tenant databases, vendor revenue sheets, and court case documents.

Who is Qilin?

Cybernews did not confirm or deny the authenticity of the samples that were posted, but said that they dated between 2022 and 2025, which would make them rather fresh and useful to criminals.

The Tulsa International Airport in Oklahoma is a mid-size commercial airport that handles about 80 flights a day, to more than 20 domestic destinations. Carriers include Southwest, American, Delta and United, and the airport serves more than 3 million passengers a year.

It supports a regional aviation ecosystem with thousands of employees across airlines, airport operations and on-site aerospace firms, contributing to an estimated 40,000 jobs and roughly $6 billion in annual economic impact for the area.

Qilin was first spotted four years ago and has since moved up the ranks to become one of the biggest ransomware threats in 2026, allegedly successfully breached more than 1,000 organizations in 2025.

It is a Russian-speaking ransomware-as-a-service (RaaS) with numerous affiliates, whose identities are not known at this time. The airport is yet to make an official statement on the attack.

