**Iberia Confirms Data Breach Exposing Aircraft Technical Data and Customer Information**
Spanish airline Iberia has acknowledged a data breach involving 77 GB of sensitive internal documents and customer data, first identified in November 2024. The breach was exposed this week by cybersecurity firm Hudson Rock, which linked the incident to a threat actor known as Zestix, who had been auctioning stolen corporate data from approximately 50 companies and law firms.
The attacker allegedly compromised Iberia’s ShareFile instance—a file-sharing platform developed by Progress Software—after infecting an employee’s device with infostealer malware to harvest credentials. The stolen data includes technical materials for Airbus A320 and A321 aircraft, such as maintenance files, engine specifications, damage charts, and confidential fleet information. While Iberia stated that the exposed data was "non-operational" and did not compromise flight safety, Hudson Rock noted that the files contained digital signatures and proprietary configurations that could be valuable to competitors or state actors.
In addition to technical documents, the breach exposed personal data of Iberia customers, including names, email addresses, phone numbers, Iberia Club membership numbers, and booking reference codes for future flights. Iberia reported the incident to Spanish regulators, including the Spanish Data Protection Agency, and notified affected customers in late 2024. The airline also implemented two-factor authentication (2FA) for impacted accounts to prevent unauthorized access.
Zestix, the threat actor behind the breach, operates as an initial access broker within Russian-language cybercrime forums, selling compromised corporate access for Bitcoin. Hudson Rock’s investigation linked one of Zestix’s aliases to an Iranian national and associated the group with the Funksec cybercriminal collective. While Iberia confirmed the breach, none of the other companies listed in Hudson Rock’s report have publicly acknowledged being affected.
Source: https://therecord.media/spanish-airline-attributes-recent-breach-allegation-to-nov-incident
Iberia cybersecurity rating report: https://www.rankiteo.com/company/iberia
"id": "IBE1767821517",
"linkid": "iberia",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Hundreds',
'industry': 'Aviation',
'location': 'Spain',
'name': 'Iberia',
'size': 'Large',
'type': 'Airline'}],
'attack_vector': 'Infostealer Malware',
'customer_advisories': 'Breach notices sent to affected customers; public '
'statement issued',
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': ['Names',
'Email addresses',
'Phone numbers',
'Iberia Club '
'membership numbers',
'Booking reference '
'codes'],
'sensitivity_of_data': 'High (proprietary aircraft data, '
'customer PII)',
'type_of_data_compromised': ['Technical materials for A320 '
'and A321 aircraft',
'Maintenance files',
'Engine data',
'Aircraft damage charts',
'Confidential fleet data',
'Customer personal data']},
'date_detected': '2024-11',
'date_publicly_disclosed': '2024-05-20',
'description': 'A threat actor named Zestix allegedly used infostealer '
'malware to infect an employee’s device, obtaining credentials '
'and breaching Iberia’s ShareFile instance. The hacker stole '
'77 GB of data, including technical materials for aircraft, '
'maintenance files, and customer personal data. The breach was '
'reported to Spanish regulators, and affected customers were '
'notified.',
'impact': {'brand_reputation_impact': 'Potential impact due to exposure of '
'proprietary data and customer '
'information',
'data_compromised': '77 GB of data',
'identity_theft_risk': 'High (customer personal data exposed)',
'legal_liabilities': 'Reported to Spanish Data Protection Agency',
'operational_impact': 'Limited, non-operational data exposed; '
'flight safety not compromised',
'systems_affected': 'ShareFile (Progress Software)'},
'initial_access_broker': {'data_sold_on_dark_web': True,
'entry_point': 'Infostealer malware infection on '
'employee device',
'high_value_targets': 'Corporate file-sharing '
'portals (ShareFile)'},
'investigation_status': 'Ongoing',
'motivation': 'Financial gain (ransom demand), Data exfiltration for sale',
'post_incident_analysis': {'corrective_actions': 'Two-factor authentication '
'enabled for affected '
'customers',
'root_causes': 'Infostealer malware infection '
'leading to credential compromise'},
'ransomware': {'data_exfiltration': True, 'ransom_demanded': '$150,000'},
'references': [{'date_accessed': '2024-05-20', 'source': 'Hudson Rock'},
{'date_accessed': '2024-05-20',
'source': 'Recorded Future News'}],
'regulatory_compliance': {'regulations_violated': ['Spanish Data Protection '
'Law'],
'regulatory_notifications': ['Spanish Data '
'Protection Agency']},
'response': {'communication_strategy': 'Breach notices sent to affected '
'customers; public statement issued',
'containment_measures': 'Two-factor authentication enabled for '
'affected customers'},
'threat_actor': 'Zestix',
'title': 'Iberia Data Breach via Infostealer Malware',
'type': 'Data Breach',
'vulnerability_exploited': 'Compromised employee credentials'}