Theme park giant Parques Reunidos hit by a ransomware cyber attack

Madrid-based Parques Reunidos group has disclosed a cybersecurity incident this week. Threat actors behind the incident claim to possess over 1 TB of the company’s sensitive data.

Parques Reunidos is among world’s largest leisure and adventure park operators with 50 properties, including aquariums, amusement parks, zoos, and water parks across Europe, the Americas, and Australia. The group reportedly rakes in an annual revenue anywhere between $600 million and $2.3 billion.

Systems suffered ‘unauthorized external access’

In a cybersecurity incident notice published this week, Parques Reunidos has disclosed that threat actors gained unauthorized access to its IT systems, as the company continues with its forensic investigations into the incident.

“At Parques Reunidos Group we are committed to transparency and therefore, we share with you that we have been subjected to an unauthorized external access to our computer systems,” states the notice.

“Upon learning of the incident, we immediately adopted technical and organizational measures to contain it and to prevent further unauthorized external access: appointment of forensic specialists and cybersecurity experts to investigate the incident and reinforce the security of our data, immediate shutdown of affected systems, immediate blocking of users with affected information systems, blocking of remote access connections (VPN), temporary isolation of the data center, blocking of passwords to access information systems for all users of the organization.”

Further, the organization took additional measures including tightening of access controls for certain user groups, expanding its collection sources for ingesting log events, as well as raising cybersecurity awareness among its employees.

Spanish Data Protection Authority (AEPD) was notified of the development and Parques Reunidos states that it is “fully cooperating” with the authorities.

Parques Reunidos maintains an extensive presence as an entertainment operator around the world. Some of the company’s U.S.-based properties include Adventureland, Castle Park, Kennywood, and Dutch Wonderland. In 2016, the adventure park giant undertook the management of UAE-based ‘Motiongate Dubai,’ a Hollywood-inspired theme park.

Bian Lian ransomware claims responsibility

Around March 3rd, 2023, a ransomware group that goes by the name, ‘Bian Lian,’ claimed responsibility for the cyber attack. This development was first brought to our attention by Israel-based cybersecurity intel feed provider, DarkFeed and threat intel analyst Dominic Alvieri.

On its data leak site seen by Security Report, Bian Lian claims to have stolen more than 1 Terabytes (TB) of data belonging to Parques Reunidos. A sample data set earlier shared by Bian Lian via a third-party file hosting website is no longer available. As such, Security Report is unable to verify the veracity of the ransomware group’s claims at this time.

The ransomware operator claims to hold personal information on the company’s employees, including their ID document and passport scans, client information, medical test reports and certifications, legal and tax documents, sensitive financial records as well as internal and external email communications.

Parques Reunidos has not disclosed how much is the ransom demand and if the company will be paying the ransom.

Security Report has approached Parques Reunidos with additional questions prior to publishing. We did not immediately hear back. This piece will be updated as more information becomes available.