Brinztech Alert: Alleged 596 GB Database of Iberia Airlines is on Sale (Everest Ransomware Group)

Dark Web News Analysis

A threat actor, identified in intelligence reports as the Everest ransomware group, is advertising the sale of a massive 596 GB database allegedly belonging to Iberia Airlines (part of the International Airlines Group – IAG).

Brinztech Analysis:

• The Conflict: This sale appears to be the escalation of a third-party supply chain breach that Iberia officially acknowledged in late November 2025. While the airline initially stated that “passwords and banking information were not accessed,” the threat actor’s listing contradicts this by claiming a massive trove of data including card masks, expiration dates, and internal system structures.
• The Data: The leaked sample includes highly specific travel and loyalty data fields:
  • Loyalty: IBP_st_card_number (Iberia Plus Card), Avios balances.
  • Travel: JourneyName, PNR (Passenger Name Record) booking details.
  • Identity: Full contact details, emails, and phone numbers.
• The Scale: The sheer volume (596 GB) suggests this is not a simple export of a marketing list but a dump of a core database or a backup server from a compromised service provider (possibly related to the Collins Aerospace / vMUSE incident earlier in the year or a separate logistics partner). The demand has reportedly reached $6 million.

Key Cybersecurity Insights

This alleged data breach presents a critical threat to travelers and the aviation sector:

• PNR Data Exposure: The exposure of Passenger Name Records (PNR) is a significant privacy risk. PNRs contain not just names but entire travel itineraries, co-travelers, meal preferences, and contact details. This data allows for physical surveillance and highly targeted “travel disruption” scams.
• Loyalty Program Fraud: With exposed Avios balances and loyalty numbers, attackers can attempt to hijack accounts to drain miles for flights, hotels, or gift cards. Loyalty accounts often have weaker security (often 4-digit PINs) than bank accounts.
• High-Fidelity Phishing: The combination of “JourneyName” and contact info allows attackers to send emails that look exactly like official Iberia check-in reminders or cancellation notices.
  • Example Scenario: “Your flight to Madrid [JourneyName] has been rescheduled. Click here to confirm.”
• Internal System Exposure: The presence of “internal data structures” puts Iberia’s IT infrastructure at risk of further exploitation, as it reveals the schema and logic of their backend systems to other attackers.

Mitigation Strategies

In response to this claim, Iberia customers and the airline must take immediate action:

• Compromised Credential Monitoring: Users should assume their Iberia Plus credentials are at risk. Change passwords immediately. If the same password was used for banking or email, change those too.
• Enhanced Fraud Detection (Loyalty): Iberia should implement stricter controls on Avios redemptions, such as requiring 2FA for any points transfer or redemption.
• Strengthened Phishing Defenses: Customers must be skeptical of any email claiming to be from Iberia, especially those creating urgency about upcoming flights. Verify flight status directly in the official app, never via email links.
• Payment Card Vigilance: While full PANs may not be exposed, “card masks” and expiration dates can sometimes be used in social engineering to convince a victim that the caller is from their bank. Monitor statements closely.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com