On June 1, 2024, an unknown threat actor posted a dataset containing 864 employee
records from Riyadh Airports Company (RAC) on a cybercrime forum, pricing the data
at $290. RAC operates King Khalid International Airport (KKIA), Saudi Arabia’s
second-busiest airport and a critical hub in the Kingdom’s aviation
infrastructure.
The exposed records included employee IDs, full names, corporate email addresses,
and mobile phone numbers. While the attack vector remains unconfirmed, the structured
format of the data suggests database access or exploitation of an HR management
system. This incident is distinct from a separate November 2025 attack that
targeted RAC’s critical control systems.
## Key Facts
- .**What:** 864 employee records from Riyadh Airports Company sold for $290.
- .**Who:** Employees of the operator of King Khalid International Airport.
- .**Data Exposed:** Employee IDs, full names, corporate emails, and mobile numbers.
- .**Outcome:** Critical infrastructure risk; subject to NCA and PDPL oversight.
## What Was Exposed
- .Employee identification numbers used within RAC’s internal personnel
management systems
- .Full legal names of 864 employees across various operational and administrative
departments
- .Corporate email addresses following RAC’s organizational email naming
conventions
- .Personal mobile phone numbers registered to employee accounts
At first glance, 864 records priced at $290 may appear to be a minor incident
compared to the multi-terabyte breaches that dominate cybersecurity headlines.
This assessment is dangerously wrong. The value of this dataset is not measured
by its volume but by its target: the operator of a major international airport
that serves as critical national infrastructure. Every employee record in this
dataset represents a potential entry point for a far more consequential attack.
Airport operators employ personnel in uniquely sensitive roles. Among the 864
exposed employees are likely individuals responsible for air traffic management
systems, baggage handling infrastructure, security screening operations, runway
maintenance, fuel management, and communications systems. The combination of
employee names, corporate email addresses, and personal mobile numbers provides
everything needed to launch targeted spear-phishing campaigns against these
individuals. A convincing email sent to an airport IT administrator’s
corporate address, combined with a follow-up text message to their personal phone
creating urgency, is a well-established social engineering pattern that has
compromised far more security-aware organizations than an airport operator.
The corporate email addresses reveal RAC’s email naming conventions, which
can be extrapolated to identify valid email addresses for employees not included
in the leaked dataset. If RAC uses a firstname.lastname@rac.sa pattern, for
example, an attacker with knowledge of any RAC employee’s name from LinkedIn
or other public sources can construct valid email addresses for targeted attacks.
This enumeration capability extends the effective reach of the breach far beyond
the 864 records that were directly exposed.
The $290 price point is itself significant. This low pricing indicates the seller
viewed the data as a commodity product-valuable enough to monetize but not
rare enough to command a premium. This suggests the data may have already been
sold multiple times or shared in private channels before appearing on the public
forum. The actual number of adversaries who possess this data is likely
substantially higher than the public listing suggests, and each purchaser
acquires the same targeting capability against RAC’s workforce.
The timing of this breach is noteworthy in the context of Saudi Arabia’s
aviation expansion. The Kingdom is investing hundreds of billions of dollars in
aviation infrastructure, including the development of a new mega-airport in
Riyadh and the expansion of existing facilities. RAC sits at the center of this
transformation. Employee data from an organization undergoing rapid growth and
digital transformation is particularly valuable to threat actors, as periods of
organizational change often coincide with security gaps, new system deployments,
and employees who are more susceptible to social engineering because of unfamiliar
processes and new colleagues.
## Regulatory Analysis
This breach occurred in May-June 2024, during the transitional period before
the PDPL entered full enforcement on September 14, 2024. While the transitional
provisions offered organizations additional time to achieve compliance, the PDPL’s
core principles were already in effect, and organizations were expected to be
progressing toward full compliance. The exposure of employee personal data on a
cybercrime forum would be evaluated against the security measures RAC had in place
at the time, with consideration for the transitional context.
Under the now fully enforced PDPL, the employee data exposed-names,
identification numbers, email addresses, and phone numbers-constitutes
personal data under Article 2. The unauthorized disclosure of this data on a
cybercrime forum would trigger breach notification obligations under Article 19,
requiring RAC to notify SDAIA and, where the breach poses a risk of harm to
individuals, to notify the affected employees. The structured nature of the
data and its appearance on a for-sale listing suggests a deliberate unauthorized
access rather than an accidental exposure, which would inform SDAIA’s
assessment of the severity of the incident.
RAC’s classification as a critical infrastructure operator adds regulatory
weight. Aviation entities in Saudi Arabia are subject to cybersecurity requirements
from the National Cybersecurity Authority (NCA), including the Essential Cybersecurity
Controls. The compromise of employee data from an airport operator, even without
evidence of operational system access, represents a threat to the aviation security
ecosystem. The NCA’s mandate to protect critical national infrastructure
means that even a seemingly small employee data breach at an airport operator
receives scrutiny disproportionate to its volume.
## What Should Have Been Done
The likely attack vector-database access or HR system exploitation-points
to fundamental gaps in application security and access management. HR systems
containing employee records should be segmented from public-facing infrastructure,
accessible only through privileged access workstations with multi-factor authentication.
Database access should be restricted to specific application service accounts with
read-only permissions where appropriate, and all administrative access should be
logged and monitored in real time. Web-facing HR portals, if any existed, should
have been protected by web application firewalls, rate limiting, and anomaly
detection to identify unauthorized data extraction.
Proactive dark web monitoring should be standard practice for any critical
infrastructure operator. Threat intelligence services that continuously scan
cybercrime forums, paste sites, and Telegram channels for mentions of the
organization’s name, domain, or data patterns can provide early warning of
data exposure. Had RAC maintained such monitoring, the appearance of employee
data on a cybercrime forum could have been detected within hours, enabling
rapid response including credential rotation for affected employees, enhanced
monitoring of authentication systems, and preemptive security awareness alerts
to the workforce about potential spear-phishing attempts.
Employee data minimization should be a design principle for any system that stores
personnel records. The question should always be asked: does this system need to
store personal mobile phone numbers alongside employee IDs and email addresses?
If the legitimate business purpose can be served with fewer data elements, the
additional fields should not be present. Data minimization does not prevent
breaches, but it limits the damage when they occur. An employee directory
containing only names and corporate email addresses is significantly less useful
to a threat actor than one that also includes personal phone numbers and internal
identification numbers.
864 airport employee records sold for $290 may seem like a minor data sale, but
each record is a potential key to King Khalid International Airport’s
operational infrastructure. In aviation security, the threat model does not
distinguish between a $290 data purchase and a million-dollar intelligence
operation-the social engineering attack that follows uses the same data
either way. Critical infrastructure operators cannot afford to assess breach
severity by record count alone.