The Spanish flag carrier **Iberia** suffered a major **data breach** orchestrated by the Russian-linked cybercriminal group **Everest**. The attackers claim to have stolen **596 GB of sensitive data**, including **5 million passenger records** with **names, contact details, birthdates, travel/booking information, and masked credit card data**. Initially, Iberia acknowledged only the compromise of **frequent flyer program details (names, emails, and loyalty numbers)**, but Everest asserts the breach is far more extensive, involving **internal technical data for aircraft and engines** as well. The group, known for **financially motivated extortion**, has demanded a **ransom** in exchange for not leaking the stolen data. Everest previously disrupted **European airports** (e.g., Brussels, Heathrow, Berlin) via an attack on **Collins Aerospace’s MUSE check-in system**, causing flight cancellations. If leaked, the stolen passenger data could fuel **large-scale phishing scams**, tricking victims into revealing financial or personal information via **malware-laden links or fake airline websites**. Iberia has not confirmed the full scope of the breach, but the incident underscores the aviation sector’s growing vulnerability to **cyber extortion and data theft**.
Iberia Express cybersecurity rating report: https://www.rankiteo.com/company/iberia-express
"id": "IBE26101526112625",
"linkid": "iberia-express",
"type": "Cyber Attack",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '5+ million (based on 5 million '
'records in .eml files)',
'industry': 'Aviation',
'location': 'Madrid, Spain',
'name': 'Iberia',
'type': 'Airline'},
{'location': 'Global',
'name': 'Iberia Club members',
'type': 'Customer group'}],
'attack_vector': ['Third-party software vulnerability (customer management '
'system)',
'Dark web extortion'],
'customer_advisories': 'Passengers warned about potential phishing scams '
'using stolen data',
'data_breach': {'data_exfiltration': 'Yes (596 GB of data, including 430 GB '
'of .eml files)',
'file_types_exposed': ['.eml (email files)',
'Technical documents (claimed)'],
'number_of_records_exposed': '5+ million (from .eml files)',
'personally_identifiable_information': ['Names',
'Email addresses',
'Birthdates',
'Frequent flyer '
'numbers',
'Contact details'],
'sensitivity_of_data': 'High (PII, travel details, technical '
'data)',
'type_of_data_compromised': ['Personal identifiable '
'information (PII)',
'Travel/booking records',
'Financial data (masked credit '
'cards)',
'Technical data (aircraft/engine '
'specifications, claimed)',
'Internal documents (claimed)']},
'date_publicly_disclosed': '2025-11-23',
'description': 'A Russian-linked cybercriminal group, Everest, claimed '
'responsibility for a data breach at Spanish flag carrier '
'Iberia, alleging the theft of 596 GB of sensitive passenger '
'data, including names, contact details, birthdates, '
'travel/booking information, and masked credit card data. The '
'group, financially motivated, attempted to extort Iberia by '
'threatening to leak the data publicly. The breach was linked '
'to a third-party customer management software vulnerability. '
'Everest also claimed to have compromised Iberia’s internal '
'systems, stealing technical data related to aircraft and '
'engines. The incident follows a pattern of increasing '
'cyberattacks on the aviation industry, with recent breaches '
'at Air France-KLM, Qantas, Hawaiian Airlines, and WestJet, '
'often tied to third-party software like Salesforce.',
'impact': {'brand_reputation_impact': 'High (potential loss of trust due to '
'sensitive data exposure and extortion '
'threats)',
'data_compromised': ['Names',
'Contact details (email addresses)',
'Birthdates',
'Travel and booking information',
'Frequent flyer numbers',
'Masked credit card data',
'Technical data for aircraft and engines '
'(claimed)',
'Internal documents (claimed)'],
'identity_theft_risk': 'High (phishing scams using stolen '
'passenger details)',
'payment_information_risk': 'Moderate (masked credit card data '
'exposed)',
'systems_affected': ['Customer management software (third-party)',
'Internal computer systems (claimed, '
'including technical data repositories)']},
'initial_access_broker': {'data_sold_on_dark_web': 'Threatened (not yet '
'confirmed)',
'entry_point': 'Third-party customer management '
'software',
'high_value_targets': ['Passenger PII',
'Technical aircraft data '
'(claimed)']},
'investigation_status': 'Ongoing (Iberia has not responded to requests for '
'comment)',
'motivation': 'Financial gain (ransom extortion)',
'post_incident_analysis': {'root_causes': ['Third-party software '
'vulnerability',
'Inadequate protection of '
'sensitive data']},
'ransomware': {'data_exfiltration': 'Yes (596 GB)',
'ransom_demanded': 'Yes (amount unspecified, negotiations '
'attempted)'},
'references': [{'date_accessed': '2025-11-25',
'source': 'Hackmanac (Twitter/X)',
'url': 'https://t.co/rYSGnNeBN1'},
{'date_accessed': '2025-11-23',
'source': 'Iberia Customer Advisory (Email to Iberia Club '
'members)'},
{'date_accessed': '2025-11',
'source': 'Dark Web Post by Everest Group'}],
'response': {'communication_strategy': 'Alerted Iberia Club members via email '
'about potential data compromise',
'containment_measures': ['Securing IT systems (details '
'unspecified)'],
'incident_response_plan_activated': 'Yes (Iberia secured its IT '
'systems post-breach)'},
'stakeholder_advisories': 'Iberia Club members notified via email',
'threat_actor': 'Everest (Russian-linked cybercrime group)',
'title': 'Data Breach at Iberia Airlines by Everest Hacking Group',
'type': ['Data Breach', 'Extortion', 'Cyberattack'],
'vulnerability_exploited': 'Third-party customer management software (details '
'unspecified)'}