Forget Firewalls — Hack the Supplier: The Iberia Attack Blueprint Revealed

On 23 November 2025, Iberia disclosed a security incident stemming from an unauthorized access to the systems of a third-party supplier / vendor.The airline communicated to impacted customers that certain personal data may have been exposed. According to the notification, exposed information may include first and last name, email address, and loyalty-card identification numbers (Iberia Club). Iberia explicitly stated that account login credentials/passwords and payment card or banking data were not compromised.

🚨Cyber Alert‼️

🇪🇸Spain – Iberia

A threat actor claims to be selling 77 GB of Iberia’s internal data for 150,000 dollars.

They say the package contains technical material on A320 and A321 aircraft, AMP maintenance files, and engine data, along with internal documents carrying… pic.twitter.com/4GIMW6FMGJ
— Hackmanac (@H4ckmanac) November 14, 2025

Scope & Context

The disclosure came shortly after a threat actor on a hacker forum claimed to possess 77 GB of data allegedly extracted from Iberia, offered for sale for USD 150,000. The claimed contents included not only customer data, but also technical documentation related to aircraft maintenance, engine data, internal operational documents.
Iberia confirmed the leak originates from a supplier breach, not from its own core systems. The vendor’s identity and the specific systems affected have not been publicly disclosed.
The airline began customer notifications shortly after the public claim — a number of days after the alleged theft — but no specific date for the initial compromise has been revealed.

Attack Classification & Technical Attribution

The incident aligns with a supply-chain/vendor compromise scenario, where adversaries target external suppliers rather than the primary organization directly.
According to one public analysis, the attacker may have leveraged techniques mapped to the following in the MITRE ATT&CK framework:
- T1195 (Supply Chain Compromise) — compromise of a vendor/supplier to reach primary victim.
- T1567.002 (Exfiltration Over Web Service) — exfiltration of data from the compromised environment to an external location.
Some unconfirmed public commentary suggests that the attacker might have exploited a public-facing application or used valid/stolen credentials to gain access to the supplier’s infrastructure (e.g., references to techniques similar to T1078 (Valid Accounts) or T1190 (Exploit Public-Facing Application) in some analyses.
However — and this is important for clarity — no concrete forensic indicators (e.g., malware samples, hashes, C2 infrastructure, exploit details) have been published. The information about method of initial access remains speculative. The supplier name, system names, and logs have not been publicly disclosed either.

Confirmed Data Exposure

The only confirmed exposed data elements are customer names, email addresses, and Iberia Club loyalty-card IDs.
Credentials (user passwords) and financial/payment-card data were confirmed not compromised as per pentesting experts.
There is no official confirmation that the larger 77 GB data package claimed for sale — containing internal documents and aircraft maintenance data — overlaps fully with the data Iberia has admitted was exposed.

Threat Actor & Motivation

The identity of the threat actor remains unknown; no public attribution has been made.
The actor publicly advertised the data for monetary gain (USD 150,000), positioning it as suitable for resale, espionage, or sale to state-actors.
The claimed dataset—that includes alleged internal technical and operational documentation—would be of interest for competitor intelligence, industrial espionage, or supply-chain-targeted threat scenarios.

The breach affecting Iberia appears to be a classical case of supply-chain compromise: an external vendor’s systems were breached, leading to unauthorized exfiltration of customer information (names, emails, loyalty-card IDs). The airline confirmed no loss of credentials or payment data. A threat actor apparently claims to have much larger data — including technical/operational documents — but that portion remains unverified. No technical forensic data has been released, and the attack vector remains unspecified. As it stands, the publicly available facts are limited and largely consist of the customer notification, statements by Iberia, and the threat actor’s forum listing.

Mike Stevens

Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.

Forget Firewalls — Hack the Supplier: The Iberia Attack Blueprint Revealed

Scope & Context

Attack Classification & Technical Attribution

Confirmed Data Exposure

Threat Actor & Motivation

Microsoft SharePoint Zero-Day EXPLAINED — How Hackers Got In Without a Password

How to Easily Escalate to Root on Linux Using the Latest Sudo Vulnerabilities

WhatsApp’s Latest Bug Could Be the Gateway to a Full System Takeover

The AWS Exploit That Lets Hackers Take Over Your Cloud – Without You Knowing!

Your Secure Boot Isn’t So Secure: New CVE-2024-7344 Explained

Forget Firewalls — Hack the Supplier: The Iberia Attack Blueprint Revealed

Think Your Firewall Is Safe? The F5 Hack Proves It’s the Perfect Trojan Horse

The Secret to Hacking SaaS? Forget Passwords — Go for Tokens

Victoria’s Secret Hit by Cyberattack — Here’s What They’re Not Telling You

Oracle Cloud Was Hacked — But They Didn’t Tell You Everything

110 Million AT&T Customers’ Data leaked: Inside the $370,000 Ransom Payment

How Hackers Stole Taylor Swift Tickets: The Full Ticketmaster Breach Story

How to Easily Escalate to Root on Linux Using the Latest Sudo Vulnerabilities

You Trust Your Helm Charts — Here’s Why That’s a Huge Mistake That Could Lead to a Cloud Breach

One Man Scammed Spotify, Apple Music for 5 years with 4 BILLION Streams. How Artists Are Earning Millions Illegally?

Comparing CIS v8, CIS AWS Foundations Benchmark v1.5, and PCI DSS v4.0 for CSPM. Which you Should Start With?

MITRE EMB3D Explained: Top Threats to Embedded Devices and How EMB3D Mitigates Them

Google Gemini Under Fire: Critical Security Vulnerabilities You Need to Know to hack Gemini

Cracking SCCM Wide Open: Pentesting System Center Configuration Manager with Misconfiguration Manager

Hacking Windows 10 and 11 with DLL Search Order Hijacking without administrator rights

Hacking SSH Connections by exploiting SSH Protocol Vulnerabilities: Different Terrapin Attack Vectors

Understanding Latest DHCP DNS Vulnerabilities and How DHCP Exploits work in Active Directory

Hacking Bluetooth via MiTM: The BLUFFS Bluetooth attack to hack into Millions of Devices

6 Steps to File Anonymous SEC Complaints Against Data Breachers & Force Them to Pay Fines or Take Action

Inside the Exploit: How Your ChatGPT’s Uploaded Files Could Be Stolen by Prompt Injection Vulnerability

This Google Calendar technique allows to hack into companies without getting detected

This telegram bot is like ChatGPT for scammers to steal money from victims easily

The Dark Side of PDFs: How Opening a Simple PDF Could Unleash a Cybersecurity Nightmare

Largest soft drink bottle supplier, recycle and plastic manufacturers hacked by ransomware

Visited thesaurus.com in search for Synonyms? You have Coinminer malware infection

How to send malware via Teams, even “Safe Attachments” or “Safe Links” can’t protect you

2 Big Cloud hosting companies shutdown by ransomware and lose all customer data