CoinbaseCartel Claims Access to Panasonic Avionics, Supplier of IFE for Over 200 Airlines

On 22 May 2026, the extortion group CoinbaseCartel published a claim of access to the domain panasonic.aero, affecting Panasonic Avionics Corporation, the division responsible for in-flight entertainment systems, Wi-Fi connectivity, and aircraft communications. The disclosure was tracked by the Ransomware.live service and reported by SC Media. As of the closure of this article, Panasonic Avionics had not publicly commented, and no regulatory authority had independently confirmed the incident.

Panasonic Avionics is not a peripheral supplier to the aviation industry: the company serves over 200 airlines and covers approximately 70% of the global fleet of aircraft equipped with in-flight entertainment (IFE) systems, according to the company’s own data. Its embedded systems operate on aircraft from Boeing, Airbus, and Bombardier. Its cloud platform processes passenger data, flight logs, and digital content updates in real time, meaning that a compromise of its data environment impacts, by extension, the information chain of every client operator.

CoinbaseCartel: Extortion without Encryption

Unlike groups such as LockBit or ALPHV, CoinbaseCartel does not encrypt victims' systems. Its operation is solely based on data exfiltration, which means that the affected organisations do not experience immediate operational disruption, but are placed under pressure for the public disclosure of confidential information. The group records 170 confirmed victims in 34 countries, with the technology sector accounted for 49 of these cases, according to data from Ransomware.live.

The initial access vector is consistent: stolen credentials through infostealers, exploited before organisations rotate their passwords. Threat intelligence researchers have noted that approximately 80% of the group's victims already had compromised credentials indexed in malware forums prior to the attack. After gaining access, the group employs native cloud tooling without deploying executables on the victim's systems. The victim receives notification with 48 hours to make contact, opening a ten-day negotiation window. The group has been observed practising double extortion, initially charging for not leaking and then for the deletion of backup copies of the exfiltrated data.

Why Aviation is a Growing Target

The aviation sector concentrates high-value data, long lifecycle systems, and a complex supply chain ranging from embedded systems to ground support platforms. Extortion groups have intensified attacks against aviation and the aerospace sector throughout 2025 and 2026, according to a survey by CybersecurityNews, attracted by the combination of passenger data, maintenance records, and sensitive operational information.

In the case of Panasonic Avionics, the most immediate risk for client airlines is reputational and regulatory: if the group exfiltrated passenger data processed by the IFE platform, operators are exposed to mandatory notifications under the GDPR for flights with European passengers and the CCPA for the North American market, even if the breach occurred in a third-party supplier's infrastructure. Ignoring this point has cost companies fines exceeding 4% of their global annual revenue in recent precedents from the European regulator.

What Changes for Airlines

The question that the security teams of the more than 200 client operators need to answer is twofold: what data was shared with Panasonic Avionics in the IFE contracts, and what data breach liability clause is currently in effect in those contracts?

The CoinbaseCartel's pattern of using compromised credentials from infostealers reinforces the need for immediate rotation of API tokens and integration credentials used in the interfaces with Panasonic. The absence of encryption in the attack should not lead to complacency: exfiltrated data becomes a permanent liability and can be reused in secondary attacks against the operators themselves.

The incident marks the second confirmed compromise of Panasonic Avionics in less than three years. The company had disclosed an intrusion in 2023 dating back to December 2022, involving exposure of names, health data, financial information, and identification document numbers of employees. The recurrence of attacks against the same target in a relatively short interval signals that the credential hygiene controls within the division have not yet reached the standard required for the threat profile the company faces. For IT consultancies with clients in aviation, this presents an opportunity for a discussion regarding the review of supplier contracts and security due diligence in software supply chains.

---

Editor's note (25/05/2026): This article has been updated to clarify the status of the incident. The original version described SC Media's report as a "confirmation" of the breach, whereas SC Media and Ransomware.live report the claim published by CoinbaseCartel itself on the leak site. As of the date of this update, Panasonic Avionics had not officially commented. The New Times reports claims from cybercriminal groups as claims and only uses "confirmation" when there is a statement from the victim, the regulator, or independent primary wire reporting.