Iberia Express Breach Incident Score: Analysis & Impact (IBE5920359112425)

In this Rankiteo incident briefing, we review the Iberia Express breach identified under incident ID IBE5920359112425.

The analysis begins with a detailed overview of Iberia Express's information like the linkedin page: https://www.linkedin.com/company/iberia-express, the number of followers: 89595, the industry type: Airlines and Aviation and the number of employees: 637 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 646 and after the incident was 583 with a difference of -63 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Iberia Express and their customers.

On 14 November 2025, Iberia Líneas Aéreas de España (Iberia) disclosed Data Breach and Third-Party Compromise issues under the banner "Iberia Data Breach via Third-Party Service Provider".

Spanish airline Iberia disclosed a data breach affecting customer personal information, including names, email addresses, and Iberia Plus loyalty card numbers.

The disruption is felt across the environment, affecting Third-Party Supplier System, and exposing Names, Email Addresses and Iberia Plus Loyalty Card Numbers.

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like Tightened account change procedures (additional verification for email modifications) and Increased monitoring for suspicious activity, and began remediation that includes Enhanced technical safeguards, and stakeholders are being briefed through Customer notifications (weekend disclosure) and Advisories for vigilance against fraud.

The case underscores how Ongoing (internal and external investigations in collaboration with vendors), and recommending next steps like Customers advised to monitor accounts for suspicious activity, Enhanced verification for account changes and Collaboration with third-party vendors to secure supply chain, with advisories going out to stakeholders covering Customers notified via letter and Regulatory authorities informed.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Supply Chain Compromise: Compromise Software Dependencies and Development Tools (T1195.002) with high confidence (95%), with evidence including breach originated from a compromised third-party supplier system, and supply Chain Attack, Third-Party Vendor Exploitation. Under the Persistence tactic, the analysis identified Account Manipulation: Additional Cloud Credentials (T1098.003) with moderate to high confidence (85%), supported by evidence indicating tightened account change procedures (additional verification for email modifications). Under the Credential Access tactic, the analysis identified Unsecured Credentials: Credentials In Files (T1552.001) with moderate to high confidence (80%), with evidence including 77 GB of stolen internal data (likely included credentials in files/documents), and signed internal documents. Under the Discovery tactic, the analysis identified System Information Discovery (T1082) with high confidence (90%), supported by evidence indicating aircraft technical documentation (A320/A321), AMP maintenance files, engine data and File and Directory Discovery (T1083) with high confidence (90%), supported by evidence indicating 77 GB of stolen internal data (implies extensive file enumeration). Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (95%), supported by evidence indicating 77 GB of stolen internal data including documents, maintenance files, technical specifications and Data from Network Shared Drive (T1039) with moderate to high confidence (85%), supported by evidence indicating third-Party Supplier System compromise likely granted access to shared drives. Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) with high confidence (90%), with evidence including 77 GB of stolen internal data advertised on dark web, and data exfiltration such as true and Exfiltration to Cloud Storage: Exfiltration to Web Services (T1567.002) with moderate to high confidence (80%), supported by evidence indicating dark web forum advertisement implies use of file-sharing or cloud storage for exfiltration. Under the Impact tactic, the analysis identified Data from Cloud Storage (T1530) with moderate to high confidence (75%), supported by evidence indicating 77 GB dataset likely staged in cloud storage before sale, Data Manipulation: Staged Data (T1659) with moderate to high confidence (85%), supported by evidence indicating threat actor claimed responsibility on a dark web forum, advertising 77 GB of stolen data, and Data Encrypted for Impact (T1486) with lower confidence (30%), supported by evidence indicating ransom demanded such as $150,000 (though no confirmation of encryption). Under the Defense Evasion tactic, the analysis identified Indicator Removal: File Deletion (T1070.004) with moderate to high confidence (70%), supported by evidence indicating no logs or forensic details provided, but 77 GB exfiltration suggests cleanup and Impair Defenses: Disable or Modify Tools (T1562.001) with moderate confidence (65%), supported by evidence indicating enhanced monitoring implemented post-breach implies prior evasion. Under the Lateral Movement tactic, the analysis identified Remote Services: Windows Remote Management (T1021.006) with moderate to high confidence (70%), supported by evidence indicating third-Party Supplier System compromise may have enabled lateral movement into Iberia’s network. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.