Spanish airline **Iberia** disclosed a **data breach** stemming from a compromise of a **third-party service provider**. The incident exposed **personal customer data**, including **names, email addresses, and Iberia Plus loyalty card numbers**, though passwords and full payment details remained secure. However, a **threat actor** claimed responsibility on a dark web forum, advertising **77 GB of stolen internal data** for $150,000. The leaked dataset allegedly includes **sensitive aircraft technical documentation** (A320/A321 models), **AMP maintenance files, engine data, and signed internal documents**, some labeled as **ISO 27001 and ITAR-classified**—indicating regulated, export-controlled material. While Iberia confirmed no evidence of fraudulent use yet, the breach involved **highly sensitive corporate and operational data**, raising concerns over **intellectual property theft, regulatory violations, and potential operational risks**. The airline has tightened security measures, including **enhanced verification for account changes and increased monitoring**, while collaborating with vendors and notifying **Spanish and EU data protection authorities** under GDPR compliance. The breach was first detected in **mid-November 2025**, with customer notifications issued later.
Source: https://cyberinsider.com/iberia-breach-exposed-frequent-flyer-data-hacker-leaks-files/
Iberia Express cybersecurity rating report: https://www.rankiteo.com/company/iberia-express
"id": "IBE5920359112425",
"linkid": "iberia-express",
"type": "Breach",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Undisclosed (subset of Iberia '
'Plus loyalty program members '
'and potentially other '
'stakeholders)',
'industry': 'Aviation',
'location': 'Spain',
'name': 'Iberia Líneas Aéreas de España (Iberia)',
'size': 'Large (Flag carrier, part of International '
'Airlines Group)',
'type': 'Airline'}],
'attack_vector': ['Supply Chain Attack', 'Third-Party Vendor Exploitation'],
'customer_advisories': ['No evidence of fraudulent use detected',
'Report suspicious activity promptly',
'Vigilance recommended for phishing or identity theft '
'attempts'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['Documents',
'Maintenance Files',
'Technical Specifications',
'Internal Correspondence'],
'personally_identifiable_information': ['Names',
'Email Addresses',
'Loyalty Card '
'Numbers'],
'sensitivity_of_data': 'High (includes ITAR-classified and '
'ISO 27001-protected materials)',
'type_of_data_compromised': ['Personal Data (PII)',
'Corporate/Technical Data',
'Regulated/Classified Data (ISO '
'27001, ITAR)']},
'date_detected': '2025-11-14',
'description': 'Spanish airline Iberia disclosed a data breach affecting '
'customer personal information, including names, email '
'addresses, and Iberia Plus loyalty card numbers. The breach '
'originated from a compromised third-party supplier system. A '
'threat actor claimed responsibility on a dark web forum, '
'advertising 77 GB of stolen internal data (including aircraft '
'technical documentation, maintenance files, and '
'ITAR-classified materials) for $150,000. Iberia confirmed no '
'exposure of account passwords or full payment details but has '
'enhanced security measures and notified regulatory '
'authorities.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'exposure of sensitive and regulated '
'data',
'data_compromised': ['Names',
'Email Addresses',
'Iberia Plus Loyalty Card Numbers',
'Aircraft Technical Documentation (A320/A321)',
'AMP Maintenance Files',
'Engine Data',
'Signed Internal Documents',
'ISO 27001/ITAR-Classified Materials'],
'identity_theft_risk': 'Low (no passwords or full payment details '
'exposed)',
'legal_liabilities': 'Regulatory scrutiny under Spanish/EU data '
'protection laws (e.g., GDPR)',
'payment_information_risk': 'None (full payment details confirmed '
'secure)',
'systems_affected': ['Third-Party Supplier System']},
'initial_access_broker': {'data_sold_on_dark_web': True,
'entry_point': 'Third-Party Service Provider System',
'high_value_targets': ['Aircraft Technical '
'Documentation',
'ITAR-Classified Data']},
'investigation_status': 'Ongoing (internal and external investigations in '
'collaboration with vendors)',
'motivation': ['Financial Gain', 'Data Theft for Resale'],
'post_incident_analysis': {'corrective_actions': ['Enhanced verification '
'processes',
'Increased monitoring',
'Technical safeguards'],
'root_causes': ['Third-party vendor compromise']},
'ransomware': {'data_exfiltration': True,
'ransom_demanded': '$150,000 (for 77 GB dataset on dark web)'},
'recommendations': ['Customers advised to monitor accounts for suspicious '
'activity',
'Enhanced verification for account changes',
'Collaboration with third-party vendors to secure supply '
'chain'],
'references': [{'source': 'Hackmanac (Cybersecurity Monitoring Group)'},
{'source': 'Iberia Customer Notification Letter'}],
'regulatory_compliance': {'regulations_violated': ['GDPR (EU General Data '
'Protection Regulation)',
'Spanish Data Protection '
'Laws',
'Potential ITAR '
'(International Traffic in '
'Arms Regulations) '
'violations'],
'regulatory_notifications': ['Spanish Data '
'Protection Authority',
'Relevant EU bodies']},
'response': {'communication_strategy': ['Customer notifications (weekend '
'disclosure)',
'Advisories for vigilance against '
'fraud'],
'containment_measures': ['Tightened account change procedures '
'(additional verification for email '
'modifications)',
'Increased monitoring for suspicious '
'activity'],
'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'remediation_measures': ['Enhanced technical safeguards'],
'third_party_assistance': True},
'stakeholder_advisories': ['Customers notified via letter',
'Regulatory authorities informed'],
'threat_actor': {'dark_web_presence': True},
'title': 'Iberia Data Breach via Third-Party Service Provider',
'type': ['Data Breach', 'Third-Party Compromise']}