Spanish airline Iberia suffered a significant data breach on November 23, 2025, originating from a third-party supplier. Hackers compromised the vendor’s systems, gaining access to sensitive customer data, including names, email addresses, loyalty program details (Iberia Plus tier statuses, point balances, travel histories), and 77GB of proprietary technical documents (e.g., aircraft maintenance files, engine specifications, internal certificates). While payment information and passwords were not exposed, the breach heightened risks of phishing, identity theft, and potential operational risks if technical data was exploited. The threat actor advertised the stolen data on dark web forums for $150,000, accelerating public disclosure. Iberia isolated affected systems, engaged cybersecurity experts, and offered free credit monitoring to impacted customers. The incident underscored supply-chain vulnerabilities in aviation, prompting regulatory scrutiny under GDPR and industry-wide reviews of third-party security protocols.

Iberia, Spain’s national flag carrier airline, suffered a third-party data breach after a threat actor claimed to have exfiltrated 77 GB of its sensitive data. The incident, reported by Security Affairs, suggests the compromise involved external vendor systems, potentially exposing corporate, operational, or customer-related information. While the exact nature of the stolen data (e.g., employee records, flight operations, passenger details) remains undisclosed, the scale (77 GB) indicates a significant data leak with possible reputational, financial, and regulatory repercussions. The breach underscores vulnerabilities in supply chain cybersecurity, where third-party vendors serve as attack vectors for targeting high-profile organizations. Iberia has not confirmed whether the stolen data includes customer personal information or internal employee records, but the volume suggests a high-risk exposure. The incident may trigger investigations under GDPR (given Iberia’s EU operations) and could erode customer trust, particularly if financial or identity-related data was compromised.