The Everest ransomware group breached Dublin Airport, claiming to have stolen approximately 1,533,900 passenger records, including highly sensitive travel and personal data. The compromised information covers full names, flight details (dates, seat numbers, flight numbers, departure/destination codes), frequent flyer data, baggage tags, boarding pass timestamps, check-in device IDs, and verification statuses. The data is currently password-protected on the group’s dark web leak site, with a six-day deadline for the airport to negotiate before public exposure. This breach poses severe risks of identity theft, travel fraud, and operational disruptions, given the granularity of the exposed records. The attack aligns with Everest’s recent focus on the aviation sector, following similar incidents like the Collins Aerospace breach, which caused widespread airport outages across Europe. The group’s extortion tactics—combining data theft with ransom demands—heighten the urgency for Dublin Airport to mitigate reputational, financial, and regulatory fallout.
Source: https://hackread.com/everest-ransomware-dublin-airport-passenger-data/
TPRM report: https://www.rankiteo.com/company/dublin-airport-authority-daa-
"id": "dub4102041102725",
"linkid": "dublin-airport-authority-daa-",
"type": "Ransomware",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 1533900,
'industry': 'aviation',
'location': 'Dublin, Ireland',
'name': 'Dublin Airport',
'type': 'airport operator'},
{'industry': 'aviation',
'location': 'Sharjah, United Arab Emirates',
'name': 'Air Arabia',
'type': 'airline'},
{'industry': 'aerospace/aviation',
'name': 'Collins Aerospace',
'type': 'technology provider'}],
'attack_vector': ['exposed FTP server with weak credentials (Collins '
'Aerospace)',
'unknown (Dublin Airport, Air Arabia)'],
'customer_advisories': ['Follow protective measures if potentially affected; '
'await official guidance from Dublin Airport, Air '
'Arabia, or authorities.'],
'data_breach': {'data_exfiltration': ['confirmed (all entities)'],
'file_types_exposed': ['passenger records (Dublin Airport)',
'employee records (Air Arabia)',
'operational documents (Collins '
'Aerospace)'],
'number_of_records_exposed': [{'entity': 'Dublin Airport',
'records': 1533900},
{'entity': 'Air Arabia',
'records': 18000},
{'entity': 'Collins Aerospace',
'records': None}],
'personally_identifiable_information': ['full names, flight '
'details, passenger '
'IDs, frequent flyer '
'info (Dublin '
'Airport)',
'employee details '
'(Air Arabia)'],
'sensitivity_of_data': ['high (passenger PII, travel details)',
'moderate (employee PII)'],
'type_of_data_compromised': ['passenger travel data (Dublin '
'Airport)',
'employee personal details (Air '
'Arabia)',
'airline operations documents '
'(Collins Aerospace)']},
'date_publicly_disclosed': '2025-10-07',
'description': 'The Everest ransomware group announced breaches of Dublin '
'Airport, Air Arabia, and Collins Aerospace, claiming theft of '
'sensitive passenger, employee, and operational data. The '
'group has been increasingly targeting the aviation industry, '
'causing operational disruptions and data exposure risks. '
'Dublin Airport and Air Arabia were given a six-day deadline '
'to respond before data is leaked publicly. Collins '
"Aerospace's breach in September 2025 led to widespread "
'airport disruptions across Europe, with the group alleging '
'poor security practices and internal coordination failures.',
'impact': {'brand_reputation_impact': ['high (potential loss of trust in '
'aviation security)',
'negative media coverage'],
'data_compromised': [{'details': ['passenger data (full name, '
'flight date, passenger ID, seat '
'number, flight number, '
'departure/destination airport '
'codes, fast track/priority '
'status, travel class, '
'timestamps, barcodes, departure '
'date, workstation ID, frequent '
'flyer details, '
'operating/marketing carrier, '
'sequence number, passenger '
'status, boarding pass issuer, '
'baggage allowance, baggage tag '
'numbers, boarding pass issue '
'date, document type, airline '
'numeric code, check-in/boarding '
'pass issuance source, device '
'details, baggage tag plate '
'numbers, selectee indicator, '
'international document '
'verification status)'],
'entity': 'Dublin Airport',
'records': 1533900},
{'details': ['employee personal details'],
'entity': 'Air Arabia',
'records': 18000},
{'details': ['airline operations documents',
'passenger data'],
'entity': 'Collins Aerospace',
'records': None}],
'downtime': [{'description': 'Critical servers shut down on '
'September 19, 2025, causing '
'disruptions across European airports '
'(London Heathrow, Berlin, Brussels).',
'duration': None,
'entity': 'Collins Aerospace'},
None],
'identity_theft_risk': ['high (Dublin Airport passenger data)',
'moderate (Air Arabia employee data)'],
'operational_impact': ['widespread delays and slowdowns at '
'European airports (September 2025)',
'potential travel disruptions for Dublin '
'Airport passengers if data leaked',
None],
'systems_affected': ['check-in systems (Collins Aerospace, '
'September 2025 incident)',
'passenger processing systems (European '
'airports, September 2025)',
'FTP server (Collins Aerospace)',
None]},
'initial_access_broker': {'data_sold_on_dark_web': ['password-protected '
'listings (Dublin '
'Airport, Air Arabia)',
'potential future leak if '
'demands unmet'],
'entry_point': ['exposed FTP server with weak '
'credentials (Collins Aerospace)'],
'high_value_targets': ['passenger data (Dublin '
'Airport)',
'employee data (Air Arabia)',
'operational documents '
'(Collins Aerospace)']},
'investigation_status': [{'entity': 'Dublin Airport',
'status': 'ongoing (awaiting official statement)'},
{'entity': 'Air Arabia',
'status': 'ongoing (awaiting official statement)'},
{'entity': 'Collins Aerospace',
'status': "partial (group's claims published; law "
'enforcement involved)'}],
'motivation': ['financial extortion', 'data theft', 'reputation damage'],
'post_incident_analysis': {'root_causes': [{'causes': ['exposed FTP server',
'weak credentials',
'poor internal '
'coordination',
'delayed response'],
'entity': 'Collins Aerospace'},
None]},
'ransomware': {'data_exfiltration': ['confirmed (all entities)'],
'ransom_demanded': ['unspecified (Dublin Airport, Air Arabia)',
"none (Collins Aerospace, per group's "
'claim)'],
'ransomware_strain': 'Everest'},
'references': [{'date_accessed': '2025-10-07', 'source': 'Hackread.com'}],
'regulatory_compliance': {'legal_actions': [{'details': 'Arrest of a '
'40-year-old man in '
'the UK (October '
'2025).',
'entity': 'Collins Aerospace'}]},
'response': {'containment_measures': [{'details': 'Cut off access to exposed '
'FTP server (September 11, '
'2025).',
'entity': 'Collins Aerospace'},
None],
'enhanced_monitoring': [{'details': 'Detected unauthorized '
'access between September '
'10–11, 2025.',
'entity': 'Collins Aerospace'}],
'incident_response_plan_activated': [{'details': 'Shut down '
'critical '
'servers on '
'September 19, '
'2025, after '
'detecting '
'breach.',
'entity': 'Collins '
'Aerospace'},
None],
'law_enforcement_notified': [{'details': 'UK authorities '
'arrested a 40-year-old '
'man in West Sussex in '
'connection with the '
'attack.',
'entity': 'Collins Aerospace '
'(September 2025)'}]},
'threat_actor': 'Everest ransomware group',
'title': 'Everest Ransomware Group Targets Dublin Airport, Air Arabia, and '
'Collins Aerospace in Aviation Industry Cyberattacks',
'type': ['ransomware', 'data breach', 'cyberattack'],
'vulnerability_exploited': ['weak credentials (FTP server)']}