Hackers claim German aviation firm, leak customer data
A cybercriminal cartel has claimed FAI Aviation Group, a German charter operator. The attackers say they’ve accessed a trove of sensitive data, ranging from company details to medical information.
The aviation firm was posted on the J Group ransomware gang’s dark web blog, which it uses to showcase its latest victims and, in some cases, leak their data. The cybercrooks claim they’ve obtained nearly 3TB of data.
We’ve reached out to FAI and will update the article once we receive a reply.
The company is a charter operator that offers fixed-wing ambulance services, luxury jet charter and mission-critical aviation services. Headquartered in Nuremberg, the company operates subsidiaries in Dubai and Bahrain and claims to have nearly 300 employees.
What FAI data did the alleged data breach expose?
J Group’s post claims that the alleged data breach exposed a variety of sensitive and personal details. For example, the gang claims it accessed private patients' data, likely referring to FAI’s air ambulance services. The dataset supposedly includes patients' clinical info.
According to the attackers, the alleged data breach has also exposed commercial documents, project documentation, company files regarding staff complaints, and other details that were unlikely meant to go public.
The Cybernews research team has investigated information that the attackers added to their dark web post. However, the attachment only included a text file with a data tree, with allegedly stolen file and folder names. According to the team, the list mentioned:
- Various employee training documents
- Audit documents
- Aircraft specification documents
- CV’s
- Passport copies
The team believes malicious actors could abuse the allegedly leaked information for identity theft and fraud. Leaked documents could be utilized to set up fraudulent accounts, financially impacting the exposed individuals.
Another venue for increased risks is social engineering. For example, attackers could impersonate FAI or other charter services, since they’d be aware that the victims they target use these types of services and, likely, have spare funds.
What makes matters worse is that medical and biometric data are non-recoverable, which means that users cannot change their medical histories once they've been compromised.
Meanwhile, internal audit documents could identify the company’s weaknesses that persistent attackers may exploit in the future.
Attackers often target airlines and charter operators, as any disruption is extremely costly for air carriers. Numerous companies were targeted over the last three months, including the second-largest Canadian airline, WestJet Airlines, US carrier Alaska Airlines, Australian airline Qantas, and US commercial carrier Hawaiian Airlines.
Who is J Group ransomware?
J Group ransomware is a fresh face in the cybercriminal underworld, first spotted in early 2025. So far, there’s little information on the group’s activities. However, security researchers note that the gang targets everything from amusement parks to potato packers.
The gangs’ behavior is indicative of a group that’s still attempting to establish itself and find a consistent modus operandi. Interestingly, the gang may adopt an ever-more-popular approach to data brokerage.
Conventional ransomware gangs threaten victims to publicly leak data if they refuse to pay the ransom. Meanwhile, cartels like J Group would attempt to publicly sell the data in an attempt to cash in after a failed negotiation.
According to Ransomlooker, the Cybernews’ dark web monitoring tool, J Group has victimized at least 32 organizations, making it one of the more active newcomers to the scene.
Unlock more exclusive Cybernews content on YouTube.
