Iberia, the Spanish flag carrier, has begun notifying its customers that their personal information was compromised following a security incident involving one of the airline’s suppliers. The notification, which was distributed in Spanish-written emails to customers on Sunday, disclosed that the breach resulted in the theft of customer names, email addresses, and frequent flyer numbers. The company, however, was quick to assure recipients that more sensitive data, specifically passwords or full credit card information, was not compromised in the attack. The airline confirmed that the breach was addressed immediately after its discovery.
The airline has taken steps to bolster its security measures in the wake of the breach, primarily by enhancing the protections around customer accounts. To this end, Iberia now requires a verification code to be provided by the customer before any attempt to change the email address associated with their account can be successfully processed. Furthermore, the company has officially notified law enforcement about the incident. They have also initiated a joint investigation into the matter, working collaboratively with their affected third-party supplier to fully understand the scope and nature of the compromise.
Despite the transparency in notifying customers, Iberia was not forthcoming about several key details concerning the incident. Specifically, the airline did not specify the exact date when the data breach occurred, nor did it name the third-party supplier whose systems were compromised. Additionally, it remains unclear whether this breach is linked to any of the recently reported hacking campaigns that targeted the customers of major technology providers like Salesforce and Oracle EBS, suggesting the incident may be isolated or part of a different ongoing threat landscape.
The timing of the customer notifications is particularly noteworthy, as Iberia sent them out roughly one week after a malicious actor made claims on a prominent hacking forum. This threat actor boasted about having successfully stolen a substantial amount of data—approximately 77 gigabytes—from the airline’s internal systems. The stolen material was alleged to include highly sensitive documents, such as ISO 27001 and ITAR-classified information, along with technical aircraft documentation, various internal corporate documents, and specialized engine data.
The hacker, attempting to monetize the data, was actively marketing the stolen archive for a price of $150,000. The threat actor positioned the data as being highly suitable for various nefarious activities, including use in acts of corporate espionage, for purposes of extortion, or for resale to governments. Iberia was founded in 1927 and is now a component of the International Airlines Group (IAG), having merged with British Airways in 2011. The IAG also controls Aer Lingus, BMI, and Vueling. Operating an all-Airbus fleet, Iberia services a network of 130 destinations across the globe.
Reference:
