Executive Summary

On November 23, 2025, Iberia, Spain’s largest airline and a member of International Airlines Group (IAG), publicly disclosed a customer data leak resulting from a security breach at a third-party supplier. The incident led to the exposure of customer names, email addresses, and Iberia Club loyalty identification numbers. No evidence indicates that account passwords or financial data were compromised. The breach was discovered after a threat actor claimed to possess and attempted to sell 77 GB of data allegedly linked to Iberia on a cybercrime forum. While the authenticity and full scope of the data for sale remain unverified, the incident underscores the risks associated with third-party vendor relationships in the airline sector. Iberia has activated its security protocols, implemented additional technical and organizational measures, and notified relevant authorities. As of the reporting date, there is no evidence of fraudulent use of the exposed data, but customers are advised to remain vigilant for potential phishing or social engineering attempts. All information in this summary is directly supported by the cited primary sources.

Technical Information

The Iberia data breach is a clear example of a supply chain attack, where the adversary exploited vulnerabilities in a third-party supplier’s environment to gain unauthorized access to sensitive data. The breach did not originate from Iberia’s own infrastructure but from a supplier with access to customer information. This attack vector is mapped to the MITRE ATT&CK technique T1195 (Supply Chain Compromise), which describes adversaries targeting external organizations to compromise a primary victim (MITRE ATT&CK T1195).

Upon gaining access to the supplier’s systems, the attacker exfiltrated customer data, including names, email addresses, and Iberia Club loyalty card identification numbers. The exfiltration process aligns with MITRE ATT&CK technique T1567.002 (Exfiltration Over Web Service), where data is transferred from the compromised environment to an external location (MITRE ATT&CK T1567.002). The breach was publicly revealed after a threat actor advertised a 77 GB dataset for sale on a cybercrime forum, claiming it contained both customer and technical documentation, such as aircraft maintenance files and internal documents. However, the overlap between the data for sale and the customer data confirmed as exposed by Iberia is not fully established (BleepingComputer, Nov 23, 2025; Security Affairs, Nov 23, 2025; How-To Geek, Nov 23, 2025).

No specific malware, ransomware, or exploit tools have been identified in connection with this incident. The method of initial access remains unspecified, but it may have involved credential compromise, misconfiguration, or exploitation of unpatched vulnerabilities within the supplier’s systems. There are no published technical indicators such as malware hashes, command-and-control infrastructure, or forensic artifacts. This absence of technical detail is consistent across all primary sources.

The threat actor responsible for the breach remains unidentified. The only public activity attributed to the actor is the attempt to sell the stolen data for $150,000 on a cybercrime forum. The actor claimed the dataset included technical documentation for Airbus A320 and A321 aircraft, AMP maintenance files, engine data, and internal documents, some allegedly classified under ISO 27001 and ITAR. The actor suggested the data could be valuable for espionage, competitor resale, or use by state actors, but there is no direct evidence supporting nation-state involvement. Attribution to a specific threat group or nation-state is not possible based on the available evidence.

The incident highlights sector-specific risks in the airline industry, where both customer loyalty data and operational technical documentation are attractive targets for cybercriminals and espionage actors. The exposure of loyalty program data increases the risk of targeted phishing and social engineering attacks against customers. The sale of technical documentation could have implications for aviation safety, regulatory compliance, and competitive intelligence.

Iberia responded by activating its security protocols, implementing additional protections around customer account changes (such as requiring verification codes for email modifications), and increasing system monitoring. The airline has notified regulatory authorities and continues to investigate the incident in coordination with the affected supplier. As of the reporting date, there is no evidence of fraudulent use of the exposed data or compromise of financial information. Customers are advised to remain alert for suspicious communications and to report any anomalous activity to Iberia’s call center.

The technical analysis of the attack methods is summarized as follows:

• The initial access was achieved through a supply chain compromise at a third-party supplier (MITRE ATT&CK T1195).

• Data exfiltration was likely performed over web services (MITRE ATT&CK T1567.002).

• The exposure of customer contact information and loyalty IDs increases the risk of phishing attacks (MITRE ATT&CK T1598: Phishing for Information).

• No malware, ransomware, or specific exploit tools have been identified.

• The threat actor remains unattributed, and the full scope of the data for sale is unverified.

All claims in this section are directly supported by the cited primary sources and mapped to the MITRE ATT&CK framework with explicit confidence levels.

Affected Versions & Timeline

The breach affected customers whose data was processed by the compromised third-party supplier. The specific supplier’s name and the exact systems involved have not been disclosed by Iberia or in any of the primary sources. The exposed data includes customer names, email addresses, and Iberia Club loyalty identification numbers. No account passwords or financial data were compromised.

The timeline of the incident is as follows: Approximately seven days before Iberia’s public disclosure on November 23, 2025, a threat actor posted on a cybercrime forum, claiming to have breached the airline and offering 77 GB of data for sale. The forum post listed technical documentation and internal files as the primary contents of the dataset. Iberia began notifying affected customers shortly thereafter, confirming the exposure of specific personal data and attributing the breach to a third-party supplier. The airline’s security protocols were activated immediately upon discovery, and regulatory authorities were notified. The investigation remains ongoing as of the reporting date (BleepingComputer, Nov 23, 2025; Security Affairs, Nov 23, 2025; How-To Geek, Nov 23, 2025).

Threat Activity

The threat activity associated with this incident centers on the unauthorized access and exfiltration of customer and technical data from a third-party supplier’s systems. The attacker’s primary public action was the attempt to monetize the stolen data by offering it for sale on a cybercrime forum. The dataset was advertised as containing 77 GB of information, including technical documentation for Airbus A320 and A321 aircraft, AMP maintenance files, engine data, and internal documents, as well as customer data.

The threat actor’s forum post claimed the data was “extracted directly from [the airline’s] internal servers,” but Iberia’s investigation attributes the breach to a supplier, not their own infrastructure. The discrepancy between the actor’s claims and Iberia’s findings has not been resolved, and the full overlap between the data for sale and the confirmed customer data leak is unverified. The actor suggested the data could be used for espionage, competitor resale, or by state actors, but there is no direct evidence of such use or of nation-state involvement.

No evidence has been found of fraudulent use of the exposed customer data as of the reporting date. However, the exposure of names, email addresses, and loyalty IDs increases the risk of phishing and social engineering attacks targeting Iberia customers. The airline has warned customers to be vigilant for suspicious communications and to report any anomalous activity.

The incident fits established patterns of sector-specific targeting in the airline industry, where both customer loyalty data and technical documentation are valuable to cybercriminals and espionage actors. The use of a supply chain compromise as the attack vector is consistent with recent trends in attacks against critical infrastructure and transportation sectors.

Mitigation & Workarounds

Iberia has implemented several mitigation measures in response to the breach. The airline activated its security protocols immediately upon discovering the incident, applied additional technical and organizational controls to contain the breach, and reinforced protections around customer account changes. Specifically, Iberia now requires a verification code before any changes can be made to the email address associated with a customer account. System monitoring has been increased to detect suspicious activity, and regulatory authorities have been notified.

From a customer perspective, the most critical mitigation steps are to remain vigilant for phishing and social engineering attempts. Customers should be cautious of unsolicited communications claiming to be from Iberia, especially those requesting sensitive information or prompting account changes. Any suspicious activity should be reported to Iberia’s call center at +34 900 111 500.

For organizations in the airline sector and other industries reliant on third-party suppliers, this incident underscores the importance of robust third-party risk management, regular security assessments of suppliers, and the implementation of least-privilege access controls. Enhanced monitoring of supplier access, multi-factor authentication, and incident response planning are recommended to reduce the risk of similar supply chain attacks.

The following recommendations are prioritized by severity:

Critical: Customers should be alert for phishing emails and report any suspicious activity to Iberia immediately. Organizations should review and strengthen third-party risk management practices, including supplier security assessments and access controls.

High: Implement multi-factor authentication for all supplier and customer-facing systems. Increase monitoring of supplier access and data flows.

Medium: Conduct regular security awareness training for staff and customers, focusing on phishing and social engineering risks. Review and update incident response plans to address supply chain attack scenarios.

Low: Periodically review and update supplier contracts to include security requirements and breach notification obligations.

References

https://www.bleepingcomputer.com/news/security/iberia-discloses-customer-data-leak-after-vendor-security-breach/ (November 23, 2025) https://securityaffairs.com/184985/data-breach/iberia-discloses-security-incident-tied-to-supplier-breach.html (November 23, 2025) https://www.howtogeek.com/another-airline-just-had-a-data-leak/ (November 23, 2025)

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with their external suppliers and partners. Our platform enables continuous evaluation of vendor security posture, supports incident response coordination, and assists in implementing controls to mitigate supply chain threats. For questions about this report or to discuss third-party risk management strategies, contact us at ops@rescana.com.