Spanish Iberia Airlines reports third-party vendor data breach exposing customer data

Spanish flag carrier Iberia Airlines is notifying customers of a security incident caused by a breach at one of its third-party suppliers' systems.

Iberia did not name its compromised supplier but the incident is similar to a series of cyberattacks affecting multiple major brands that use Salesforce instances. The Salesforce-related attack campaign has already impacted several other airlines including Qantas, which first detected a systems breach in July 2025, followed by Air France and Dutch flag carrier KLM.

The compromised dataset includes:

• Full names (first and last names)
• Email addresses associated with booking profiles
• Iberia Club frequent flyer loyalty card identification numbers

The number of affected customers has not been disclosed. Iberia claims that account login credentials and passwords were not compromised, nor any complete banking or payment card information. The Iberia Group transported over 30.7 million passengers across its airlines in 2024 so the breach could affect millions. 

Iberia has advised affected customers to be careful of phishing attempts and social engineering attacks.

Approximately one week before Iberia's public notification a threat actor on cybercrime forums claimed to have stolen 77 GB of sensitive internal data from Iberia's systems and attempted to sell it for $150,000 in cryptocurrency. It's unclear whether this 77 GB claimed theft is related to the customer information breach or is a completely different incident. The authenticity of the 77 GB technical data claim has not been verified.

Update - as of 25th of November 2025, the Everest ransomware group claims to have breached Iberia airline and exfiltrated over 1 TB of data containing millions of customers' personal information, loyalty details, travel histories, and payment records, while also maintaining long-term access with capabilities to read and alter bookings. The group is awaiting ransom negotiations and threatens to publicly leak the stolen data if Iberia does not respond.

As of 29th of November 2025, the Everest group are demanding $6 million ransom to prevent data leakage or sale. 

As of 2nd of December 2025, the attackers claim to maintain ongoing access to Iberia's systems and have the ability to view and modify passenger bookings, potentially allowing them to change flight details, cancel tickets, and access personal information.