Iberia Airlines Hit by Vendor Breach: Everest Gang Demands $6 Million as Aviation Cybersecurity Crisis Escalates

Breached Company

Breached Company

10 min read
Iberia Airlines Hit by Vendor Breach: Everest Gang Demands $6 Million as Aviation Cybersecurity Crisis Escalates

Spanish flagship carrier becomes latest victim in unprecedented wave of airline cyberattacks, with threat actors claiming access to 596GB of internal data including editable booking systems

November 29, 2025 - Spain's largest airline Iberia has disclosed a major data breach stemming from a third-party vendor compromise, with the Everest ransomware gang now demanding $6 million to prevent the release of stolen customer and operational data. The incident adds another troubling chapter to what security experts are calling an unprecedented cybersecurity crisis in the aviation industry, with attacks on airlines surging by 600% from 2024 to 2025.

The Breach Timeline: From Dark Web Listing to Ransom Demands

The security incident first came to light on November 14, 2025, when a threat actor appeared on cybercrime forums claiming to possess 77GB of Iberia data and attempting to sell it for $150,000. The advertised dataset allegedly contained technical documentation for Airbus A320 and A321 aircraft, AMP maintenance files, engine data, and internal documents with signatures and certificates.

Nine days later, on November 23, Iberia began notifying customers via email that unauthorized access to a supplier's systems had resulted in the exposure of certain customer information. The airline confirmed that compromised data may include:

  • Customer names and surnames
  • Email addresses
  • Iberia Club loyalty card identification numbers

Critically, Iberia stated that customer account login credentials, passwords, and all banking or payment card information were not compromised in the breach.

However, the situation took a dramatic turn on November 29 when the Everest ransomware gang claimed responsibility for the attack, revealing the breach's scope to be far more extensive than initially disclosed. According to Everest's dark web posting, the group has stolen 596GB of internal company data and maintains "long-term, unfettered access" to all Iberia bookings with the ability to view and edit them.

The gang is now demanding $6 million from Iberia to prevent the data from being sold to third parties, warning that "a full data leak would have catastrophic consequences for both customers and the company, triggering a massive wave of spam and fraud."

The Everest Connection: Russia-Linked Gang Behind European Airport Chaos

The Iberia breach bears the hallmarks of the Everest ransomware gang, a Russia-linked cybercriminal organization that has been operating since 2021. The group made headlines after their October 2022 attack on telecommunications giant AT&T and has recently targeted major corporations including Brazilian petroleum giant Petrobras and activewear brand Under Armour.

Most significantly, Everest was responsible for the September 2025 ransomware attack on Collins Aerospace's MUSE (Multi-User System Environment) software that brought chaos to several major European airports. That attack, which used HardBit ransomware, crippled check-in systems at London Heathrow, Brussels Airport, Berlin Brandenburg, and Dublin Airport, affecting hundreds of flights and forcing airports to revert to manual check-in procedures.

Dublin Airport emerged as the most severely impacted, with officials confirming they had to rebuild servers "from scratch" with no clear timeline for resolution. The incident ultimately exposed 3.8 million passengers' boarding pass data from August 2025 travel.

Third-Party Vendor Risk: Aviation's Achilles Heel

Iberia's breach through a third-party supplier highlights what has become the aviation industry's most critical vulnerability: supply chain security. The airline has not disclosed which specific vendor was compromised, but the pattern mirrors other recent aviation breaches where attackers targeted suppliers rather than airlines directly.

This supply chain attack methodology has proven devastatingly effective across the industry in 2025:

Qantas Airways (July 2025): Australia's flagship carrier confirmed that 5.7 million customer records were compromised after the Scattered Spider hacking group breached a third-party Salesforce platform used by one of its call centers. The attackers employed AI-powered "vishing" (voice phishing) techniques to manipulate employees at a Manila-based call center into installing malicious software. Notably, Qantas refused to pay the ransom, setting itself apart from the 96% of Australian businesses that choose to pay cybercriminals.

Air France-KLM: The European airline group was among dozens of companies compromised in the Scattered Lapsus$ Hunters' coordinated Salesforce exploitation campaign, which ultimately affected over 700 organizations worldwide.

American Airlines Subsidiary (October 2025): Regional carrier Envoy Air was hit by the Clop ransomware gang exploiting an Oracle E-Business Suite zero-day vulnerability (CVE-2025-61882) with a critical CVSS score of 9.8. This wasn't American Airlines' first encounter with Clop—the airline was also victimized in the gang's massive 2023 MOVEit Transfer zero-day campaign.

WestJet (June 2025): Canada's second-largest airline fell victim to Scattered Spider in what became one of the most significant cyberattacks on Canadian aviation infrastructure. The attack disrupted the airline's mobile application and internal systems, though flight operations remained safe and unaffected.

As cybersecurity expert Charlotte Wilson from Check Point explained regarding supply chain vulnerabilities: "These attacks often strike through the supply chain, exploiting third-party platforms that are used by multiple airlines and airports at once. When one vendor is compromised, the ripple effect can be immediate and far-reaching, causing widespread disruption across borders."

The Booking System Threat: Beyond Traditional Data Breaches

What makes Everest's claims about the Iberia breach particularly alarming is their assertion of having access to fully editable booking information. As the gang themselves stated: "A full data leak would have catastrophic consequences for both customers and the company, triggering a massive wave of spam and fraud."

This represents a significant escalation beyond typical data breaches. Since many airlines, including Iberia, include detailed booking and passenger information in their confirmation emails, and since managing a booking often requires only a surname and booking reference, the potential impact extends far beyond the customer data initially disclosed.

Passengers who have traveled with Iberia face several immediate risks:

Targeted Phishing Campaigns: Cybercriminals can use booking references and travel itineraries to craft highly convincing phishing emails claiming to be from the airline.

Social Engineering Attacks: With full names, contact information, and travel patterns, attackers can impersonate airline customer service representatives or conduct sophisticated phone-based scams.

Booking Manipulation: If Everest's claims of editable access to booking systems are accurate, threat actors could potentially alter reservations, cancel flights, or redirect bookings—creating both operational chaos and opportunities for fraud.

Frequent Flyer Account Takeover: Exposed Iberia Club loyalty numbers could enable unauthorized access to loyalty program accounts, potentially allowing theft of miles or points.

Iberia's Response and Industry Implications

In response to the breach, Iberia has implemented several protective measures:

  • Added additional verification code requirements before any changes can be made to email addresses linked to customer accounts
  • Increased monitoring of systems for suspicious activity
  • Notified relevant authorities including data protection regulators
  • Activated security protocols and implemented technical and organizational measures to contain the incident
  • Coordinated ongoing investigation with the involved supplier

The airline emphasized in customer notifications: "As of the date of this communication, we have no evidence of any fraudulent use of this data. In any case, we recommend that you pay attention to any suspicious communications you may receive to avoid any potential problems they may cause you."

Customers have been encouraged to report any anomalous or suspicious activity to Iberia's call center at +34 900111500.

However, the discrepancy between Iberia's initial disclosure (77GB, customer data only) and Everest's claims (596GB, including technical data and booking system access) raises serious questions about either the completeness of Iberia's investigation or the gang's credibility. The aviation industry has learned from incidents like the Collins Aerospace attack that initial breach assessments often underestimate the true scope of compromise.

The 2025 Aviation Cyberattack Crisis: A Pattern of Systemic Vulnerability

The Iberia breach must be understood within the context of what has become a full-scale assault on global aviation infrastructure. The sector has witnessed a staggering 600% increase in cyberattacks from 2024 to 2025, with both financially motivated cybercriminals and state-sponsored actors targeting airlines and airports with increasing sophistication.

The Scattered Spider Campaign: The FBI directly linked multiple high-profile aviation breaches to the Scattered Spider hacking group, which systematically targeted the airlines industry beginning in June 2025. Microsoft reported that this aligned with the threat actor's pattern of concentrating on one sector for several weeks or months before moving on to new targets. The group, also tracked as Lapsus$ Hunters and UNC3944, has been tied to attacks on Las Vegas casinos in 2023 and British department stores earlier in 2025.

Infrastructure Attacks: Beyond data breaches, critical airport infrastructure has faced crippling attacks. In March 2025, Kuala Lumpur International Airport faced a cyberattack with hackers demanding a $10 million ransom, disrupting critical airport systems and triggering Malaysia's national cybersecurity response. A major U.S. airport experienced a coordinated DDoS attack that temporarily knocked out flight information displays, online ticketing, and check-in systems.

Geopolitical Targeting: Russia's flagship carrier Aeroflot was forced to cancel over 100 flights after pro-Ukrainian hacker group Silent Crow claimed responsibility for a cyberattack, demonstrating how aviation has become a battleground for cyber warfare.

The Single Point of Failure Problem

A recurring theme across 2025's aviation cyberattacks has been the vulnerability created by centralized systems and shared infrastructure. As our analysis of the Collins Aerospace incident revealed, approximately 70% of EU airports rely on third-party common-use systems like MUSE for 95% of passenger touchpoints. When one system fails—whether from ransomware or other causes—it doesn't just affect one airline or one airport; it ripples across an entire continent's air travel infrastructure simultaneously.

Travel analyst Paul Charles explained the systemic risk: "This is a very clever cyberattack indeed because it's affected a number of airlines and airports at the same time. They've got into the core system that enables airlines to effectively check in many of their passengers at different desks at different airports around Europe."

This architectural weakness creates what cybersecurity experts call "single points of failure" where one successful attack can cascade across multiple airports and airlines, affecting thousands of flights and millions of passengers. The European Union Agency for Cybersecurity has confirmed this pattern represents a fundamental shift in threat actor strategy—criminals specifically target supply chain providers to maximize impact.

Lessons from Legacy Failures

The aviation industry's infrastructure vulnerabilities aren't new, as our examination of Delta and British Airways' catastrophic data center failures in 2016-2017 demonstrated. Those incidents, which cost a combined $330+ million and stranded over 150,000 passengers, were attributed to "human error" but actually reflected systemic failures in infrastructure investment, redundancy planning, and vendor management.

The pattern continues: organizations invest minimally in infrastructure resilience, defer critical maintenance and upgrades, rely on single vendors without adequate backup systems, and then attribute catastrophic failures to individual mistakes rather than systemic vulnerabilities.

The difference now is that threat actors have learned to weaponize these organizational weaknesses. Modern attacks add identity theft, fraud, and long-term reputational damage to the operational losses that "accidental" outages caused.

Economic Impact and Industry Response

The financial implications of aviation cyberattacks are staggering. In 2023, the cost of cyber data breaches averaged around $4.45 million, not including reputational damage. The recent CrowdStrike incident, while not malicious, demonstrated the sector's vulnerability when Delta Airlines announced losses of around $550 million from the interruption to business.

For Iberia, facing a $6 million ransom demand from Everest, the decision of whether to pay carries significant implications. The ransom amount is substantial but potentially dwarfed by the costs of:

  • Customer notification and credit monitoring services
  • Regulatory fines under GDPR and other data protection laws
  • Legal costs from potential class-action lawsuits
  • Reputational damage and customer churn
  • Enhanced security measures and infrastructure improvements
  • Long-term fraud monitoring and remediation

The aviation cybersecurity market is projected to reach $5.32 billion in 2025, growing at 8.7% annually through 2029, as airlines and airports scramble to enhance their defensive capabilities.

Regulatory and Policy Implications

The wave of aviation breaches has intensified calls for:

Stricter Cybersecurity Standards: Mandatory security requirements for airlines and critical vendors, with regular auditing and compliance verification.

Enhanced Incident Response: Improved coordination between airports, airlines, cybersecurity agencies, and international law enforcement.

Supply Chain Security: Requirements for airlines to audit and continuously monitor the security posture of all third-party vendors with access to customer data or operational systems.

Mandatory Incident Reporting: Faster disclosure timelines and more detailed public reporting of breach scope and impact.

Data Minimization: Limits on the types and duration of customer data that vendors can access and retain.

The European Union Agency for Cybersecurity has been particularly active in responding to the crisis, working to improve coordination and information sharing across member states' aviation sectors.

Recommendations for Passengers and Organizations

For Iberia Passengers: Travelers who have used Iberia or hold Iberia Club memberships should:

  • Remain alert for suspicious emails, calls, or texts claiming to be from Iberia or partner airlines
  • Verify any communication about flight changes, cancellations, or required actions by contacting Iberia directly through official channels
  • Monitor Iberia Club accounts for unauthorized activity or point redemptions
  • Be particularly cautious about unsolicited requests for personal information or payment
  • Consider changing Iberia Club passwords and enabling additional security measures
  • Report any anomalous activity to Iberia's call center at +34 900111500

For Airlines and Aviation Organizations: The Iberia breach underscores critical security imperatives:

Rigorous Vendor Security Assessment: Continuous evaluation of third-party providers' security posture, including:

  • Regular penetration testing and vulnerability assessments
  • Audit of access controls and data handling practices
  • Verification of incident response capabilities
  • Contractual security requirements with penalties for non-compliance

Network Segmentation: Proper isolation of customer-facing systems from critical operational infrastructure, as demonstrated by WestJet's ability to maintain safe flight operations despite its mobile app compromise.

Zero Trust Architecture: Implementation of least-privilege access principles for all vendor connections, with continuous verification and monitoring.

Backup and Recovery: Robust business continuity planning with regularly tested disaster recovery systems, as the lack of adequate backups turned Collins Aerospace's attack into a multi-day crisis requiring servers to be rebuilt from scratch.

Employee Training: Comprehensive security awareness programs to combat social engineering attacks, which remain the primary initial access vector for groups like Scattered Spider.

Incident Response Planning: Pre-established communication protocols, forensic investigation capabilities, and decision frameworks for responding to extortion demands.

The Path Forward: Breaking the Cycle

As cybersecurity expert Charles Carmakal from Google Mandiant warned during the Scattered Spider aviation campaign: "Scattered Spider has a history of focusing on sectors for a few weeks at a time before expanding their targeting. Given the habit of this actor to focus on a single sector, we suggest that the industry take steps immediately to harden systems."

That warning has proven prescient. The aviation industry now faces a choice: invest proactively in cybersecurity resilience, or continue to respond reactively to increasingly sophisticated and damaging attacks.

Kevin Beaumont, former Microsoft threat analyst, put it bluntly: "These disruptions are dress rehearsals for larger attacks. Aviation's reliance on legacy systems makes it a prime target."

The Iberia breach, coming at the tail end of 2025's devastating wave of aviation cyberattacks, serves as both a warning and an opportunity. Airlines and airports that implement comprehensive security improvements now—including rigorous vendor management, network segmentation, backup systems, and employee training—can avoid becoming the next headline.

Those that don't risk following the pattern we've seen throughout 2025: initial compromise, escalating ransom demands, massive customer data exposure, regulatory penalties, and long-term reputational damage.

As Iberia negotiates with Everest over the $6 million ransom demand, millions of passengers wait to learn whether their booking data will be leaked or sold on the dark web. The incident serves as a stark reminder that in our interconnected world, aviation cybersecurity is not just an IT issue—it's a matter of passenger safety, economic stability, and critical infrastructure protection.

For comprehensive analysis of the 2025 aviation cybersecurity crisis, see our related articles:

Iberia customers concerned about this breach should contact the airline's dedicated support line at +34 900111500 or monitor official communications through Iberia's verified channels.

Read more

Asahi Group Holdings Breach Investigation Reveals 1.9 Million Affected as Qilin Ransomware Dominates 2025 Attack Landscape

Asahi Group Holdings Breach Investigation Reveals 1.9 Million Affected as Qilin Ransomware Dominates 2025 Attack Landscape

Bottom Line Up Front: Japanese beverage giant Asahi Group Holdings has concluded its two-month investigation into September's devastating ransomware attack, confirming that personal data of approximately 1.9 million individuals was potentially exposed in a Qilin ransomware operation that crippled production across 30 factories. The attack, which forced

By Breached Company