Spanish airline **Iberia** suffered a **significant data breach** on **November 23, 2025**, originating from a **third-party supplier**. Hackers compromised the vendor’s systems, gaining access to **sensitive customer data**, including **names, email addresses, loyalty program details (Iberia Plus tier statuses, point balances, travel histories)**, and **77GB of proprietary technical documents** (e.g., **aircraft maintenance files, engine specifications, internal certificates**). While **payment information and passwords were not exposed**, the breach heightened risks of **phishing, identity theft, and potential operational risks** if technical data was exploited. The threat actor advertised the stolen data on **dark web forums for $150,000**, accelerating public disclosure. Iberia isolated affected systems, engaged cybersecurity experts, and offered **free credit monitoring** to impacted customers. The incident underscored **supply-chain vulnerabilities** in aviation, prompting regulatory scrutiny under **GDPR** and industry-wide reviews of third-party security protocols.
Source: https://www.webpronews.com/iberia-data-breach-exposes-customer-details-via-supplier-vulnerability/
Iberia Express cybersecurity rating report: https://www.rankiteo.com/company/iberia-express
"id": "IBE5015650112525",
"linkid": "iberia-express",
"type": "Breach",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Iberia Plus Loyalty Program '
'Members (exact number '
'undisclosed)',
'industry': 'Aviation',
'location': 'Spain (Headquarters in Madrid)',
'name': 'Iberia Airlines',
'size': 'Large (operates over 100 aircraft, serves '
'millions annually)',
'type': 'Airline'},
{'industry': 'IT/Aviation Services (speculated: CRM or '
'booking system provider)',
'name': 'Unnamed Third-Party Supplier',
'type': 'Vendor'}],
'attack_vector': ['Third-Party Vendor Compromise',
'Misconfigured Cloud Storage (speculated)',
'Inadequate Access Controls (speculated)'],
'customer_advisories': ['Password changes recommended',
'Free credit monitoring offered to affected loyalty '
'program members'],
'data_breach': {'data_exfiltration': 'Yes (77GB of data advertised on dark '
'web)',
'file_types_exposed': ['Customer Databases',
'PDF/Technical Manuals',
'Internal Certificates'],
'personally_identifiable_information': ['Names',
'Email Addresses',
'Loyalty Program '
'Details (travel '
'histories, tier '
'statuses)'],
'sensitivity_of_data': 'High (includes PII and sensitive '
'aviation technical data)',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Loyalty Program Data',
'Proprietary Technical '
'Documents']},
'date_publicly_disclosed': '2025-11-23',
'description': 'Spanish airline Iberia, part of the International Airlines '
'Group (IAG), disclosed a significant data breach on November '
'23, 2025, originating from a compromised third-party '
'supplier. The breach exposed sensitive customer information, '
'including names, email addresses, loyalty program details, '
'and technical documents related to aircraft maintenance '
'(e.g., A320, A321 engine specifications and internal '
'certificates). The threat actor advertised 77GB of stolen '
'data on dark web forums for $150,000, raising concerns about '
'phishing, identity theft, and potential risks to aviation '
'safety. Iberia confirmed no payment information or passwords '
'were compromised but advised customers to monitor accounts '
'and change passwords. The incident underscores '
'vulnerabilities in aviation supply chains and the risks of '
'outdated security protocols among third-party vendors.',
'impact': {'brand_reputation_impact': 'High (eroded consumer trust, potential '
'market position decline)',
'customer_complaints': 'Expected (specific numbers not disclosed)',
'data_compromised': ['Customer Names',
'Email Addresses',
'Loyalty Program Details (Iberia Plus tier '
'statuses, point balances, travel histories)',
'Technical Documents (aircraft maintenance '
'files, engine specifications, internal '
'certificates for A320/A321 models)'],
'identity_theft_risk': 'High (phishing and fraud risks due to '
'exposed PII)',
'legal_liabilities': ['Potential GDPR Fines (under investigation '
'by EU regulators)',
'Lawsuits from Affected Customers'],
'operational_impact': ['Potential Risk to Aviation Safety (if '
'technical documents exploited)',
'Disruption to Customer Trust',
'Increased Scrutiny on Vendor Security '
'Practices'],
'payment_information_risk': 'None (confirmed not compromised)',
'systems_affected': ['Third-Party Supplier Systems',
'Potentially Shared CRM/Booking Platforms']},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (77GB for $150,000)',
'entry_point': 'Third-Party Supplier’s Systems '
'(likely via misconfigured cloud '
'storage or access controls)',
'high_value_targets': ['Customer PII',
'Aircraft Maintenance '
'Documents',
'Internal Certificates']},
'investigation_status': 'Ongoing (forensic investigation, regulatory '
'inquiries by EU/Spain)',
'lessons_learned': ['Supply chain vulnerabilities are critical attack vectors '
'in aviation.',
'Outdated vendor security protocols can cascade risks '
'across interconnected systems.',
'Proactive dark web monitoring can accelerate breach '
'detection.',
'Transparency in disclosure helps mitigate reputational '
'damage.',
'Zero-trust architectures and real-time supplier '
'monitoring are essential.'],
'motivation': 'Financial Gain (data sold for $150,000 on dark web)',
'post_incident_analysis': {'corrective_actions': ['Enhanced supplier '
'oversight with mandatory '
'security certifications',
'Implementation of '
'zero-trust architectures '
'and MFA',
'AI-driven threat detection '
'and regular penetration '
'testing',
'Collaborative threat '
'intelligence sharing with '
'industry peers'],
'root_causes': ['Vendor’s outdated security '
'protocols',
'Potential misconfigured cloud '
'storage or access controls',
'Lack of real-time monitoring for '
'third-party data flows']},
'ransomware': {'data_exfiltration': 'Yes (but not ransomware-related; data '
'sold on dark web)'},
'recommendations': ['Enforce mandatory security certifications for all '
'third-party vendors.',
'Implement zero-trust frameworks and multi-factor '
'authentication (MFA).',
'Conduct regular penetration testing and AI-driven threat '
'detection.',
'Adopt blockchain-based data verification for supply '
'chain integrity.',
'Enhance employee training on phishing and secure data '
'handling.',
'Establish collaborative threat intelligence sharing '
'within the aviation industry.',
'Invest in AI tools for predictive breach analysis.'],
'references': [{'source': 'BleepingComputer'},
{'source': 'Security Affairs'},
{'source': 'Cybernews'},
{'source': 'Paddle Your Own Kanoo (Analysis on AI in '
'Cybersecurity)'},
{'source': 'Grab The Axe (Report on AI-Driven Threats)'},
{'source': 'X (formerly Twitter) – Cybersecurity Accounts '
'Monitoring Dark Web'}],
'regulatory_compliance': {'legal_actions': ['EU Regulatory Inquiry (Spain’s '
'data protection agency)',
'Potential Lawsuits'],
'regulations_violated': ['Potential GDPR '
'Non-Compliance (under '
'investigation)'],
'regulatory_notifications': ['Customers Notified',
'Regulators Informed '
'(EU GDPR '
'authorities)']},
'response': {'communication_strategy': ['Prompt Public Disclosure',
'Customer Advisories (password '
'changes, account monitoring)'],
'containment_measures': ['Isolation of Affected Systems',
'Dark Web Monitoring for Data Leaks'],
'enhanced_monitoring': 'Yes (real-time monitoring of data flows '
'with suppliers)',
'incident_response_plan_activated': 'Yes (systems isolated, '
'forensic investigation '
'launched)',
'recovery_measures': ['Customer Notifications',
'Free Credit Monitoring for Affected '
'Individuals'],
'remediation_measures': ['Forensic Investigation',
'Supplier Security Audit'],
'third_party_assistance': 'Yes (cybersecurity experts engaged)'},
'stakeholder_advisories': ['Customers advised to enable two-factor '
'authentication and monitor accounts'],
'title': 'Iberia Airlines Data Breach via Third-Party Supplier',
'type': ['Data Breach', 'Supply Chain Attack'],
'vulnerability_exploited': ['Outdated Security Protocols (vendor)',
'Potential Configuration Flaws in Shared '
'Platforms (e.g., Salesforce-like systems)']}