Iberia, one of Europe’s most traditional airlines, experienced a successful cyberattack recently. A third-party supplier was targeted by a hacker, resulting in the leak of personal data from several of the company’s passengers. Although it did not involve sensitive data such as passwords and financial information, the attack raises concerns about the vulnerability of airlines and their supply chain.
Iberia faces a growing security challenge after an attack on a third-party supplier
The official confirmation of the attack came from the company itself, which sent emails in Spanish explaining what happened. One of its suppliers had suffered an intrusion, allowing unauthorized access to customer data. Among the various pieces of information exposed were names, email addresses, and Iberia Club loyalty program numbers.
The company, however, made it clear that the data breach did not involve login credentials or bank details. The situation raised concerns about this issue, especially since days earlier, a hacker had announced that he possessed 77 GB of the company’s data, offered for US$150,000.
This same intruder passed on detailed information about the data, stating that he had technical documents, classified information, and aircraft engine data, describing the material as useful for corporate espionage and extortion. There is still no confirmation that this specific attack is linked to the supplier leak, but the coincidence due to the short time span between the two events further reinforces the need for close attention to company data security.
Attack reignites debate about data protection
Iberia’s response to what happened was swift. The company implemented extra verification for any email changes in customer accounts and contacted authorities to investigate the case together with its suppliers. However, the incident raises questions about companies’ ability to protect themselves when they rely on an extensive network of partners.
How the leak increases the risk of phishing and scams targeting passengers
A common cyberattack practice, and one that is often successful due to its intent to deceive people, is phishing. If you’ve ever traveled with Iberia, it’s worth paying attention because, using real names, valid email addresses, and legitimate loyalty numbers, criminals can create convincing messages capable of deceiving even the most attentive users.
Iberia stated that, so far, there is no evidence of fraudulent use of information, but it still reinforces the recommendation to exercise maximum caution. Emails requesting data verification, password reset requests, or messages offering refunds related to the incident should be viewed with suspicion.
One of the most dangerous and clever aspects of these attacks is precisely the timing of their occurrence. Scammers often wait a considerable amount of time, between weeks and months, before acting, at a moment when many customers are not thinking clearly and have lowered their guard.
Why partner safety is so crucial in today’s aviation industry
It’s worth highlighting that a relevant detail about this matter is that the attack did not occur directly on Iberia’s systems. The breach came through a supplier, which shows how the security of large companies is only as strong as the weakest link in their entire chain. In the airline sector, this becomes even more complex: companies deal daily with suppliers of IT, maintenance, logistics, operations, and ground services.
Following this incident, Iberia has already reinforced several layers of security and is investigating the case alongside the authorities. Passengers who have flown with Iberia are advised to be vigilant and suspicious of any communication requesting personal or confidential information. And for companies, not only in the aviation sector but also in other sectors involving suppliers, the lesson is that security depends not only on internal organization but on the entire supply chain and those involved in it.
Disclaimer: Our coverage of events affecting companies is purely informative and descriptive. Under no circumstances does it seek to promote an opinion or create a trend, nor can it be taken as investment advice or a recommendation of any kind.
