Iberia Airlines Data Breach Exposes Customer Names and Email Addresses

Iberia Airlines, Spain’s flagship carrier, confirmed a cybersecurity incident that exposed sensitive customer data.

Attackers gained unauthorized access to a third-party provider’s systems, compromising names, email addresses, and Iberia Club loyalty program IDs for an undisclosed number of users.

The breach falls under the cybercrime threat class in the air transport sector, highlighting risks in outsourced IT services.

The incident surfaced recently when Iberia detected unusual activity. Security teams traced it to the external provider that handles customer-facing services, such as loyalty program management.

Hackers likely exploited weak authentication possibly stolen credentials or a misconfigured API endpoint allowing them to query databases directly.

No financial data, passwords, or travel itineraries appear to be compromised, but the exposed emails and IDs pose phishing risks.

Iberia acted swiftly after the detection. The airline isolated affected systems and launched a forensic investigation with external experts.

Customers received notifications urging them to watch for suspicious emails mimicking Iberia branding.

The company reset compromised loyalty accounts and enhanced multi-factor authentication (MFA) across its ecosystem.

Breach Mechanics and Technical Insights

Details reveal a classic supply chain attack vector. The external provider’s infrastructure used outdated software, potentially vulnerable to SQL injection or session hijacking.

Threat actors scanned for open ports, such as those running unpatched web servers on TCP 443 (HTTPS), then pivoted to internal databases holding structured customer records in formats like JSON or CSV exports.

Exfiltration likely involved automated scripts pulling data via unsecured endpoints. Indicators point to cybercrime groups specializing in data harvesting for spam campaigns or identity fraud.

Iberia’s status update labels it “confirmed,” with no ransomware payload detected unlike recent aviation hits on rivals.

CVSS scoring for similar incident rates, such as breaches, is around 7.5 (high), factoring in confidentiality loss and ease of exploit.

Air transport firms often rely on vendors for CRM tools, making API keys and OAuth tokens prime targets.

Customer Impact and Mitigation Steps

Loyalty members face elevated spam and spear-phishing threats. Criminals could craft tailored lures using real names and emails, tricking users into fake login pages that steal credentials via credential stuffing.

Iberia recommends enabling MFA everywhere, monitoring accounts for unauthorized changes, and using password managers.

Regulators like Spain’s AEPD may probe the provider’s compliance with GDPR, which mandates data minimization and breach reporting within 72 hours.

The aviation sector saw 15% more incidents in 2025, per threat reports. Iberia vows system-wide audits.

Travelers should stay vigilant update their email addresses and verify communications directly through official apps.