Everest ransomware gang claims Iberia breach with 596 GB of stolen data

Ransomware gang Everest claims it has breached the systems of Spanish airline Iberia and extracted 596 GB of internal data from the airline. The group posted the claim on its leak site and said it is demanding a ransom of USD 6 million to prevent the release or sale of the material. According to reports, the published samples include customer names, contact details, birthdates, booking information, masked payment card data and marketing profiles. The attackers also state that they obtained 430 GB of email files that reportedly contain more than five million records connected to flight bookings.

 

 

The group further claims it retained long-term access to Iberia’s systems and could view and modify booking data. According to the leak post, the attackers say the dataset includes full booking histories, personal identifiers and communication logs linked to passenger reservations. These assertions have not been independently verified, and Iberia has not confirmed whether the full volume of data described is genuine.

Iberia previously attributed the incident to a breach at a third-party supplier and said that login credentials and full payment information had not been exposed. The airline stated that customer names, loyalty card identifiers and email addresses may have been compromised. The scale of data now claimed by Everest appears significantly larger than what the airline initially acknowledged. The presence of extensive booking records raises the possibility that the attackers had access to systems with broader privileges than those described in the airline’s original disclosure.

Security researchers who reviewed the published samples said the material appears consistent with data often stored by airline reservation systems. Email files from such systems may hold flight details, passenger information, booking updates and partial payment records. If authentic, the dataset could present notable risks to affected travellers. Attackers could use the information for fraudulent booking changes, identity theft, phishing or targeted scams. Public release of editable booking information could also enable malicious changes to flights or attempts to misuse stored financial identifiers.

Everest warned that releasing the full dataset would cause widespread disruption and potential harm to passengers. The group frequently uses such threats to increase pressure on victims in ransom negotiations. Cybersecurity analysts said that if attackers had long-term access, they may have been able to capture data beyond what has been released so far.

Iberia stated it has activated incident response procedures, notified law enforcement and taken steps intended to reduce the risk of further unauthorised access. The airline’s initial disclosure outlined that it requires verification codes before users change their account email addresses as part of its security measures. It has not commented publicly on the claims made by Everest about the scope of the data or the ransom demand.

The incident highlights the risks faced by airlines that rely on suppliers and third-party service providers to manage reservation and communication systems. Security analysts note that attacks on these partners can expose large volumes of sensitive data even when the airline’s own systems remain compliant with security standards. They advise passengers to be cautious about unexpected emails related to bookings and to verify communication through official channels rather than links sent in unsolicited messages.