Recent Data Breaches Affect Iberia and Air Miles España, S.A.
The Everest ransomware group has made headlines with alarming claims of successful breaches at Iberia, Spain’s national airline. According to the group, they have extracted a substantial database of 596 GB, alongside 430 GB of booking-related email files. This cache reportedly contains data on millions of customers from various countries, raising significant concerns about the security of personal information.
The leaked data, showcased on Hackread.com, allegedly includes comprehensive personal details such as full identities, loyalty program information, Avios balances, travel histories, ticket numbers, complete booking frameworks, message contents, and transaction records from IberiaPay. The group asserts that their unauthorized access was prolonged and enabled them to not only access but also modify booking details. They claim to have undertaken actions that include altering contact information, updating emergency contacts, changing seat selections, meal preferences, and other additional services, as well as the ability to cancel tickets in accordance with fare regulations.
In a developing situation, Everest has stated they are awaiting a response from Iberia before initiating negotiations. They have indicated that they have sanitized samples of the data; however, their history suggests that if discussions do not lead to an agreement, they may release complete files, significantly impacting passengers in Spain, Latin America, and territories where Iberia maintains a substantial market presence.
In a similar incident, Everest has targeted Air Miles España, S.A., the administrator of Spain’s Travel Club rewards program, which is widely utilized across the country through various partners, impacting millions of users. This breach, reported on November 25, has drawn attention due to the group’s claim of stealing approximately 131 GB of data while also locking internal systems, following a double extortion strategy common among such cybercriminal activities. If the targeted organization fails to comply with the ransom demands, the group typically resorts to exposing all stolen data on their platforms.
The information compromised from Travel Club could encompass sensitive data including names, residential and email addresses, phone numbers, loyalty account identifiers, point balances, purchase histories, and extensive marketing profiles. Such a breach poses enormous risks related to phishing and identity theft not only for individual consumers but also for the business partners involved, given the high-value behavioral data accumulated through collaborations with major brands.
In November alone, the Everest group displayed significant activity; reported claims included the theft of 343 GB of data from Under Armour and over 176 GB of seismic navigation data from Petrobras, along with 1.5 million passenger records from Dublin Airport. This surge in cyberattacks underscores the need for heightened vigilance among businesses regarding their data security measures.
Should customer information have indeed been compromised, both Iberia and Air Miles España will have obligations under the General Data Protection Regulation (GDPR) to promptly inform the Spanish Data Protection Agency and affected individuals. Delayed action in addressing these breaches could result in substantial regulatory penalties.
As the situation continues to evolve, stakeholders are urged to take preventative steps, including immediate password changes and scrutiny of accounts for any signs of unusual activity. The use of the MITRE ATT&CK framework can aid in understanding the tactics employed in these attacks, including potential methods related to initial access, persistence, privilege escalation, and defence evasion, which are pertinent in formulating response strategies and enhancing preventive measures against future incidents.
