Cyberattack Disrupts Air Côte d’Ivoire, INC Ransomware Gang Claims Data Theft Air Côte d’Ivoire, the flagship airline of Côte d’Ivoire, confirmed a cyberattack on February 8 that disrupted parts of its information systems, forcing the company to activate business continuity measures. The INC ransomware gang later claimed responsibility, alleging it stole 208 GB of data and demanding an undisclosed ransom by February 24. In a statement released on February 16, the airline acknowledged the breach and reported that technical teams were deployed to maintain flight operations. While assuring passengers that its flight program remained stable under international safety standards, Air Côte d’Ivoire warned of potential risks to service providers, employees, and travelers due to the data leak. The airline notified France’s ANSSI and Côte d’Ivoire’s ARTCI, while the country’s Computer Emergency Response Team (CI-CERT) and international experts launched an investigation into the incident. Based in Abidjan, Air Côte d’Ivoire operates a fleet of 14 aircraft, serving destinations across Africa, Lebanon, and France. The INC ransomware group, known for high-profile attacks including breaches of the Pennsylvania Attorney General’s Office, the governments of Panama (2025) and Hungary (2024), and a U.S. emergency alert system disruption in November has increasingly targeted regional airlines. Last year, similar attacks affected South African Airways, Hawaiian Airlines, Qantas, Iberia, and multiple Russian carriers, highlighting the aviation sector’s vulnerability to ransomware threats.

Iberia Confirms Data Breach Exposing Aircraft Technical Data and Customer Information Spanish airline Iberia has acknowledged a data breach involving 77 GB of sensitive internal documents and customer data, first identified in November 2024. The breach was exposed this week by cybersecurity firm Hudson Rock, which linked the incident to a threat actor known as Zestix, who had been auctioning stolen corporate data from approximately 50 companies and law firms. The attacker allegedly compromised Iberia’s ShareFile instance—a file-sharing platform developed by Progress Software—after infecting an employee’s device with infostealer malware to harvest credentials. The stolen data includes technical materials for Airbus A320 and A321 aircraft, such as maintenance files, engine specifications, damage charts, and confidential fleet information. While Iberia stated that the exposed data was "non-operational" and did not compromise flight safety, Hudson Rock noted that the files contained digital signatures and proprietary configurations that could be valuable to competitors or state actors. In addition to technical documents, the breach exposed personal data of Iberia customers, including names, email addresses, phone numbers, Iberia Club membership numbers, and booking reference codes for future flights. Iberia reported the incident to Spanish regulators, including the Spanish Data Protection Agency, and notified affected customers in late 2024. The airline also implemented two-factor authentication (2FA) for impacted accounts to prevent unauthorized access. Zestix, the threat actor behind the breach, operates as an initial access broker within Russian-language cybercrime forums, selling compromised corporate access for Bitcoin. Hudson Rock’s investigation linked one of Zestix’s aliases to an Iranian national and associated the group with the Funksec cybercriminal collective. While Iberia confirmed the breach, none of the other companies listed in Hudson Rock’s report have publicly acknowledged being affected.

Iberia Airlines Hit by Major Cyberattack as Everest Ransomware Group Steals Passenger Data Iberia Airlines, one of Spain’s leading carriers, has suffered a significant cyberattack resulting in the theft of sensitive passenger data. The breach, attributed to the Everest ransomware group, exposed approximately 596 GB of information, including frequent flyer records, personal details, and travel booking data. While full payment card details remained secure, attackers claimed to have accessed partially masked credit card information, raising concerns over potential phishing and fraud risks. The incident occurred after unauthorized access was gained through a third-party vendor, highlighting vulnerabilities in aviation’s interconnected digital infrastructure. The Everest group demanded a $6 million ransom, threatening to release or sell the stolen data if unpaid a move that could fuel large-scale fraud and reputational damage for Iberia and Spain’s tourism sector. Affected passengers, particularly Iberia Club members, were notified of the breach, with the airline confirming no immediate fraudulent activity had been detected. However, travelers were advised to remain vigilant against phishing attempts, as stolen data including names, emails, and travel histories could be exploited for targeted scams. This attack follows a pattern of high-profile cyber incidents in Europe’s aviation sector, including Everest’s previous disruption of the MUSE check-in platform in September 2025, which caused delays at major airports like London Heathrow and Berlin Brandenburg. The breach underscores the growing cybersecurity risks facing airlines, airports, and tourism-dependent economies, as digital transformation increases reliance on vulnerable third-party systems. With Spain’s tourism industry heavily dependent on secure digital operations, the incident has reignited calls for stronger cybersecurity measures across Europe’s aviation and travel sectors. The breach serves as a stark reminder of the evolving threats to passenger data and the operational integrity of global air transport networks.

Everest Ransomware Group Claims Breach of McDonald’s India, Allegedly Stealing 861GB of Sensitive Data The Everest ransomware group has claimed responsibility for a breach of McDonald’s India, the fast-food giant’s Indian subsidiary, allegedly exfiltrating 861 GB of customer data and internal documents. The claim, posted on the group’s dark web leak site on January 20, 2026, includes screenshots purportedly showing financial reports (2023–2026), audit trails, ERP migration files, pricing data, and confidential internal communications. Among the leaked materials are structured directories with month-by-month accounting records, a folder labeled "Investor Info" containing board-level documents, and a "Contact Database" with details of investors and business partners including names, addresses, phone numbers, and emails across the US, UK, Singapore, and India. Additional screenshots reveal store-level data, such as manager names, company email addresses (under mcdonaldsindia.com), and direct contact numbers for multiple outlet locations. Everest has set a two-day deadline for McDonald’s India to respond, though the company has yet to issue an official statement. The claims remain unverified pending confirmation from McDonald’s or further evidence. The group, one of the most active ransomware operators in 2025, has maintained its aggressive campaign into 2026, targeting high-profile organizations including Nissan, ASUS, Chrysler, Iberia Airlines, Under Armour, Petrobras, AT&T, and Dublin Airport. Investigations into the alleged McDonald’s India breach are ongoing.