Industry News

Hackers steal $5 million from Ryanair’s bank account

All of us dread the prospect of having our personal bank accounts hacked.

But imagine what it must be like for a company to have its business bank account plundered by hackers for millions of dollars?

According to reports, controversial budget airline Ryanair has fallen victim to hackers who managed to steal €4.6 million (almost US $5 million) via a fraudulent electronic transfer to a Chinese bank last week.

The Irish Times reports that Ryanair uses dollars to buy fuel for its fleet of Boeing 737 aircraft, and it is believed that these were the funds which the hackers were able to gain access too. Presumably large amounts of cash are spent purchasing fuel from such accounts, and that’s why no alarm was raised as 4.6 million was transferred from the account.

Whether, of course, large payments for fuel is often made via Chinese banks is information that I’m not privy too – but apparently that’s where at a least one bank transfer did end up going.

Who was behind the assault on Ryanair’s bank account is currently a matter of pure speculation. Just because a Chinese bank was involved does not necessarily mean that Chinese criminals were behind the attack.

Additionally, no details of how the hack was perpetrated have been made public, although in a statement the airline says that it has taken steps to prevent a reoccurrence:

“Ryanair confirms that it has investigated a fraudulent electronic transfer via a Chinese bank last week. The airline has been working with its banks and the relevant authorities and understands that the funds – less than $5 million – have now been frozen. The airline expects these funds to be repaid shortly, and has taken steps to ensure that this type of transfer cannot recur.”

Earlier this month, IBM security researchers published details of a criminal campaign dubbed “Dyre Wolf” that successfully stole more than $1 million from targeted businesses. In that campaign, hackers infected workers’ computers with malware and tricked them into ringing a live phone operator (working for the gang) who could socially engineer credentials and wire large sums of money out of the business’s account.

Although a fairly crude technique, it does successfully circumvent commonly-used defences such as two-factor authentication.

Of course, it’s not known if this was the technique used by the criminals who attacked Ryanair.

Personally I think it’s a shame that Ryanair hasn’t been able shed more light on the details of how the hack might have occurred, or what steps it might have taken to prevent it from happening again. After all, that would no doubt be information which could prove useful to other organisations which wish to protect themselves from similar criminal activity.

After all, if the airline has been able to fix the problem so quickly it would presumably be simple for other organisations to make sure that they were taking similar precautions or proactive steps to avoid falling to the same fate.

Ryanair became aware of the fraud on Friday, and Dublin’s Criminal Assets Bureau has been working with its counterparts in Asia to try to recover the money.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.


Click here to post a comment
  • While the “Dyre Wolf” malware scenario is possible, my experience is that the current method is spear phishing of someone who presumably would have bank transfer authority with an email purportedly from a senior executive of the organization. The MO is to get the target to believe that they are helping facilitate a very confidential transaction that will be handled through a third party. Once the victim is hooked, the third party makes an initial email contact, followed by telephone calls to push the victim along to make the transaction. Wire instructions are then provided (generally to Chinese banks). If the initial transfer is successful, the third party may make another attempt to get another “installment” for the “transaction”. It’s all social engineering, with the only real technology aspect being either a spoofed email address or a newly registered domain name similar to the victim company’s domain. The criminals may also utilize spoofed cellular numbers.

  • and this is only the top of the iceberg. Many companies do more efforts in hidding they lost money being hacked then creating public awareness posting their story in the news. The new titanic anno 2015 would have hit the iceberg due to missing multifactor authentication on the warning app and so being hacked….

  • But is it really “stealing” if you knowingly wire them the money? Seems more like fraud or something to me…..

  • obviously like your web site however you have to take a look at the spelling on several of your posts.
    Many of them are rife with spelling problems and I in finding it very
    troublesome to inform the reality however I'll surely come back again.