Massive Cyber Breach at Iberia Airlines Puts Traveler Information at Risk
EVENT SUMMARY
▪ On 29 November 2025, Spanish airline Iberia admitted that hackers had accessed confidential customer information.
▪ The timing of the disclosure is notable. About a week before Iberia’s “customer notifications” went out, a threat actor claimed on dark web forums to be selling 77 GB of alleged Iberia data for $150,000.
▪ The following week, the Everest ransomware gang claimed responsibility for the attack, reportedly accessing nearly 600 gigabytes of data, including approximately 5 million passenger records including: names and email addresses; birthdates and contact details; travel and booking information, including booking references; Iberia Club loyalty card identification numbers; masked credit card data (not full numbers) and, internal technical data for aircraft and engines.
▪ Everest, a known Russia-linked cybercriminal organization, emerged in December 2020 and quickly evolved from data exfiltration to full ransomware with dual AES/DES encryption.
▪ Everest modus operandi includes hybrid ransomware, Initial Access Broker services and corporate insider recruitment offering cash/profit-sharing.
▪In October 2025, Everest claimed to run ransomware attacks resulting in compromised aviation systems at London Heathrow, Brussels, and Berlin airports. These reports remain unverified.
▪ Everest demanded $6 million from the airline to prevent the full data leak. They posted threats on the dark web and provided screenshots as proof of access.
▪ Iberia claims that the breach originated from a third-party supplier. While the supplier has not yet been identified, it is believed that an employee at the vendor company likely fell for a phishing scam.
▪ As far as we know, flight safety was not compromised , and no flight disruptions occurred as a result of the breach.
▪ Following the incident, Iberia sent an email to customers to apprise them of the situation and urged them to remain vigilant for suspicious communications and phishing attempts.
INSIGHTS
▪ The breach can result in reputational damage for Iberia and erode customer trust in the airline’s ability to protect their personal information. The sensitivity of the stolen data lies in the fact that it contains detailed personal and travel information, which could be exploited for identity theft, targeted attacks, or broader criminal activities if released.
▪This incident clearly demonstrates that the aviation domain remains an attractive target for cyber adversaries. Furthermore, as airlines become increasingly reliant on technology, the risk of cyber threats continues to increase.
▪According to recent reports on global threats, there has been a ‘600% increase in ransomware attacks in the aviation sector in one year.’ This alarming trend raises the specter that ransomware attacks in the aviation sector are likely to increase in the coming years.
▪Although this case study focuses on the theft and leakage of passenger data, including sensitive personal information, it is important to recognize that a successful breach of an airline’s security systems can have far more severe implications. In certain scenarios, such intrusions could escalate into safety or security hazards with the potential to result in loss of life.
▪Major players in the aviation ecosystem are increasingly recognizing the interconnectedness of their operations. Interfaces and interdependencies can pose grave risks. An attack on any system or network can trigger cascading effects across other systems, potentially leading to large-scale disruptions of airport, airline, and other aviation stakeholder operations.
▪According to Iberia, the attack that resulted in the leakage of sensitive information was executed through a breach in one of the airline’s suppliers. This underscores the vulnerability of Iberia’s broader ecosystem and reflects directly on the airline’s overall security posture.
▪This case study reinforces a well-established reality in the aviation industry: a significant portion of risk stems from the vulnerabilities of third-party suppliers, who operate within a complex and interconnected network of partners.
▪Third-party suppliers that provide customer service platforms, operational software, or other critical tools can be exploited by attackers, and a single compromise can cascade across multiple airlines or airports. Recent incidents, including ransomware attacks on operational software and breaches of cloud-based customer service systems, demonstrate the impact of these vulnerabilities.
o Collins Aerospace (2025) – In September 2025, a third-party attack on Collins Aerospace’s Muse software caused major disruptions at European airports, including London Heathrow, Brussels, and Berlin. The ransomware attack took check-in and boarding systems offline, forcing airports to revert to manual processes and resulting in delays, cancellations, and long passenger wait times. Everest claimed responsibility for the attack.
o Qantas Airlines (2025) – The hacker collective Scattered Lapsus$ Hunters stole 5.7 million customer records by targeting Salesforce, the airline’s third-party customer-service platform.
o Hawaiian Airlines (2025) – The cybercriminal group Scattered Spider hacked into the third-party platform used by the airline’s call center and is believed to have gained access to customers’ personal information.
LESSONS LEARNED AND RECOMMENDATIONS
▪It is essential for the aviation sector, and critical infrastructures in general, to ensure that their cybersecurity policies and strategies are continuously adapted to evolving threats and focused on mitigating threats and vulnerabilities that could be exploited by an adversary, including those originating through third-party vendors, as well as minimizing the level of damage which may be caused if a cyber-attack does occur.
▪When implementing an information security policy, continuity and the same level of protection for the information must be maintained both on the supplier’s side as well as the airline to prevent security breaches.
▪To address the challenge posed by increasing network and systems connectivity across airport stakeholder and their third-party vendors, it is necessary to understand and evaluate the risks to critical systems, which may be posed by other interconnected critical as well as essential and/or supporting systems, that result from interfaces and interdependencies related to data flows and the impacts they may have on overall airport and aviation operations.
To that end, entities must map their critical systems to properly understand their interdependencies and vulnerabilities, both internally and with external vendors, and to take proper measures to secure them.
▪ While current speculation suggests that an employee of a vendor company may have unknowingly fallen victim to a phishing scam, the possibility of an insider threat, such as the actions of a disgruntled employee, cannot be ruled out. Accordingly, measures to mitigate insider-threat risks should be implemented, including robust employee vetting and periodic re-vetting, targeted awareness programs, and clear processes for reporting unusual behaviors or concerning statements.
▪ It is essential to provide newly onboarded employees with training on threat awareness, including recognition of phishing attempts and other common attack vectors. Periodic refresher training should also be conducted to ensure staff remain informed about emerging trends and evolving threats. This training should be reinforced through an ongoing awareness program that embeds strong security practices and proper cyber hygiene into the organization’s daily working culture.
▪It is recommended to define and establish standard cybersecurity policies for third-party suppliers, adherence to which should be included in contracts signed between airport stakeholders and their respective vendors.
▪It is recommended to develop guidelines laying out the steps required to implement an entity’s, in this case an airline’s, cybersecurity strategy at the third-party vendor level.
ASERO offers unparalleled experience in defining entity assets and establishing cybersecurity policies and measures for critical infrastructure, with an emphasis on the aviation domain, including the supply chain. Our team recently completed a pioneering, large-scale project for a global aviation hub designed to map aviation ecosystem interdependencies, define and quantify a threat criteria, identify and classify critical and other systems, and propose a roadmap for implementation of security and mitigation measures over the short, medium, and long-term.