When an airline the size of Iberia confirms a security incident, it’s never a minor issue. In this case, the breach didn’t occur within Iberia’s own systems but rather through a third-party vendor. Still, that didn’t prevent customer data from being exposed.
At TecnetOne, we break down what happened, what was compromised, and why this incident is a reminder of how fragile an unprotected digital supply chain can be.
Iberia notified its customers about a security incident stemming from a vendor with access to the airline’s information. While Iberia maintains its own security controls, the attacker exploited a vulnerability in the external provider to access passenger data.
The breach involved the exposure of:
The airline clarified that passwords, account access, and financial data were not compromised—some relief in an otherwise troubling event.
At TecnetOne, we often say: your cybersecurity is only as strong as your weakest vendor.
In the customer notification, Iberia stated that it detected unauthorized access to data stored by a provider. Upon discovery, the company immediately activated its incident response protocol, which included:
So far, Iberia says there’s no evidence the leaked data has been used fraudulently, but it urged customers to stay alert for suspicious emails or phishing attempts.
Notably, the airline has not disclosed the vendor’s name or the specific attack vector—common during ongoing investigations, but it leaves uncertainty about the full scope.
Read more: The Hidden Cost of Supply Chain Breaches (And How to Stop It)
Shortly after Iberia’s announcement, a malicious actor claimed on underground forums to possess 77 GB of Iberia’s internal data and offered it for sale at $150,000.
According to information shared by Hackmanac, the leaked package allegedly includes:
If this claim proves true, the breach goes far beyond customer data—it could affect aircraft operations, maintenance procedures, and internationally regulated processes.
Iberia has yet to confirm or deny the authenticity of the 77 GB claim. But even a partial leak could pose major risks.
This raises a major question:
Are the vendor-related breach and the 77 GB claim part of the same incident?
There are two possible scenarios:
The vendor had access to both customer and technical documentation, and the attacker exploited this to extract everything.
The vendor breach exposed only limited customer data, while the 77 GB claim results from a second, undisclosed intrusion.
This is common in the aviation sector, where systems are often siloed. And while Iberia denies a large-scale internal breach, the lack of detail leaves room for speculation.
Based on our global monitoring experience at TecnetOne, both scenarios are technically plausible.
You might also be interested in: Aeroméxico Suffers Alleged Cyberattack: 30 Million Records at Risk
This case reinforces a clear trend: cybercriminals increasingly target not just the primary company, but its suppliers, contractors, integrators, and third-party services.
Why?
From SolarWinds to MOVEit, from Kaseya to Iberia—the pattern is the same: the vendor is the easiest way in.
That’s why at TecnetOne, we emphasize continuous audits, strict segmentation, cybersecurity clauses in contracts, and regular third-party risk testing.
While Iberia insists there’s no financial fraud risk, if you're an Iberia or Iberia Plus user, it’s wise to take precautions:
Most post-breach attacks are phishing or impersonation, not technical exploits.
The Iberia breach proves once again: a company’s cybersecurity isn’t just about its own systems. It’s about its entire vendor ecosystem.
You can invest millions in internal protection, but if a third-party vendor uses weak credentials, outdated protocols, or flawed processes, it becomes the perfect gateway for attackers.
For an international airline, the impact goes beyond business: it affects compliance, reputation, and customer trust.
At TecnetOne, we always say: cybersecurity isn’t a product—it’s an ecosystem. And any weak link in that chain leaves you exposed.