MADRID- The Everest ransomware group has breached Iberia Airlines (IB), Spain’s flag carrier headquartered at Adolfo Suárez Madrid–Barajas Airport (MAD).
Hackers demand $6 million ransom to stop leaking 596 GB of stolen Iberia passenger data that includes names, emails, birthdates, masked credit card details, and booking records.
News of the breach surfaced last Sunday when Iberia began emailing Iberia Club members that personal details may have been stolen.
The same Russian-linked Everest group previously disrupted check-in systems at major European airports in September.
Iberia Faces $6 Million Ransom Demand
According to PYOK, the Everest group gained access through a third-party vendor and extracted 596 GB of data, including 430 GB of which are email files containing over 5 million editable records.
On the dark web, a member linked to Everest posted: “A full data leak would have catastrophic consequences for both customers and the company, triggering a massive wave of spam and fraud.”
The criminals threaten to publish or sell the database unless Iberia pays $6 million. While full credit card numbers were not compromised, the stolen masked card data, combined with birthdates and travel histories, enables highly convincing phishing campaigns.
Data Confirmed Stolen from Iberia
Iberia (IB) confirmed the breach affects frequent flyer accounts and includes:
- First and last names
- Email addresses
- Loyalty card numbers
- Contact details
- Dates of birth
- Travel and booking information
The airline stressed that complete bank card details remain secure, though Everest claims possession of partially masked card data.
Customer Notification and Official Statement
In emails sent last Sunday, Iberia (IB) told members: “As of the date of this communication, we have no evidence that any fraudulent use of this data has occurred.”
The airline added: “In any case, we recommend that you pay attention to any suspicious communications you may receive, in order to avoid any inconvenience that such communications may cause you.
We recommend that you report any anomalies or suspicions you detect to our call center.”
Everest previously attacked the MUSE check-in platform developed by Collins Aerospace. The September 2025 incident took systems offline at London Heathrow (LHR), Brussels (BRU), and Berlin Brandenburg (BER), causing days of flight delays across Europe.
It remains unknown whether Collins Aerospace paid the ransom demanded at that time.
Growing Threat to Aviation
The Iberia (IB) incident shows Everest continues to target the aviation sector for maximum financial and operational impact.
Experts warn that personalized phishing emails pretending to come from Iberia Club could soon flood inboxes, attempting to steal full payment details or install malware.
Stay tuned with us. Further, follow us on social media for the latest updates.
Join us on Telegram Group for the Latest Aviation Updates. Subsequently, follow us on Google News
