Ransomware Group Claims Cyberattack on Buffalo Convention Center

Akira, a ransomware group that has extorted more than $250 million from organizations worldwide, is threatening to publish 46 gigabytes of data allegedly stolen from the Buffalo Convention Center, including employee records, contracts, financial information, and personal data tied to approximately 180,000 individuals.

Ben Taylor, resilience director at Gate 15, cautioned that ransomware groups often exaggerate the scope of stolen data. The reported figure of 180,000 affected individuals could reflect information obtained through a third-party vendor, a direct breach of venue systems, or inflated claims intended to increase pressure on victims.

Buffalo Convention Center did not respond to requests for comment. The dark web monitoring company Breach Sense confirmed the Buffalo Convention Center data breach. 

The FBI classifies Akira as a ransomware-as-a-service gang that has extorted more than $250 million from hundreds of organizations since 2023.

Convention Centers Cybersecurity Challenge

The alleged breach points to a growing cybersecurity challenge for convention centers, which increasingly serve as repositories for attendee registrations, exhibitor information, payment data, contracts, and operational systems.

“Ransomware groups claim to have infiltrated an organization to create leverage for a quick and easy payment. There are cases where these are legitimate claims and some that are not,” said Taylor.

The attack also reflects the evolution of modern ransomware operations. Groups like Akira frequently use “double extortion” tactics. They steal sensitive files before encrypting networks and then threaten to release the data if payment is not made.

Taylor said advances in AI are accelerating the threat by making phishing attacks and other cybercrime techniques easier to scale and personalize.

“It is an increasing liability, and as AI advances, it is becoming easier for cybercriminals to stay one step ahead,” he said.

Cybersecurity Can’t Be Overlooked

Buffalo is not the only venue to face ransomware-related exposure. Convention centers previously listed by ransomware groups as victims include the Long Beach Convention & Entertainment Center, Pennsylvania Convention Center, Calgary TELUS Convention Centre, and Québec City Convention Centre.

In the case of the Long Beach Convention & Entertainment Center, it notified those impacted and gave them a complimentary 24-month membership to Experian’s IdentityWorks. 

High-profile hospitality breaches have demonstrated the operational impact ransomware can have. MGM Resorts reported that a 2023 cyberattack exposed personal information belonging to millions of guests and disrupted hotel operations for days. Caesars Entertainment was also attacked and reportedly paid approximately $15 million to attackers.

The threat extends beyond convention centers. In April, Carnival Corporation was attacked by a group that claims to have accessed over 8.7 million records, including names, dates of birth, and other sensitive data. 

“After detecting unauthorized online activity involving a single user account, we acted quickly to shut it down and block any further unauthorized access and have notified law enforcement,” Carnival said in a statement.

Cybersecurity Part of Due-Diligence

For planners, cybersecurity is increasingly becoming part of venue due-diligence alongside pricing, availability, and logistics.

Taylor recommends planners ask venues about cybersecurity oversight, recent risk assessments, cyber insurance coverage, breach notification protocols, and what type of attendee or exhibitor data can be affected if an incident occurs. He also recommends checking if a venue carries cyber liability insurance, and for how much? 

“Obviously, this type of thing is not one size fits all, and the size of the organization, the sensitive nature of the business, or attendees, will all impact how much risk a planner may be willing to take on,” said Taylor. 

Jeff Saunders, a cybersecurity advisor, said that venues have a responsibility to ensure that their vendors protect their systems. “Many times the entity that is hacked was not the one who was breached; it's often a vendor who provided the pathway in by not having their systems properly secured,” said Saunders. “Many organizations are now requiring their down-line vendors to comply with known industry standards for cybersecurity.”