Everest ransomware claims breach at Spain’s national airline Iberia with 596 GB data theft

Everest ransomware group has published a claim saying it breached Iberia, Spain’s flag-carrier airline and extracted a 596 GB database along with 430 GB of booking-related mail files. The group states that the data covers millions of customers in multiple countries.

As seen by Hackread.com on the group’s dark web leak site, the group claims the stolen data includes full identity information, loyalty details, Avios balances, travel histories, ticket numbers, booking structures, message content and payment records from IberiaPay.

Everest also says it had long-term access with the ability to read and alter bookings. They outline actions such as changing contact details, adjusting emergency contacts, modifying seats, meals, and other add-ons, and viewing or cancelling tickets within fare rules.

The group says it is waiting for Iberia to respond before starting negotiations. They claim to have removed personal data from the samples, but their previous cases show that full files get released if talks fail. A leak would circulate rapidly across criminal sites and would impact passengers in Spain, Latin America and other regions where Iberia holds a strong market share.

Screenshot from the Everest ransomware group’s dark web leak site (Image credit: Hackread.com)

****Air Miles España, S.A Breach Claims****

In another listing, Everest has published another claim targeting Air Miles España, S.A., the operator of Spain’s Travel Club rewards program. This incident was reported on November 25 2025. Travel Club is widely used across Spain through partners such as airlines, fuel companies and retailers, so its exposure affects millions of people.

Everest says it stole about 131 GB of data from Air Miles España and then locked internal systems. This follows the double extortion pattern where the attackers take files, then encrypt systems and demand payment to stop public release. If Air Miles España does not pay, the Everest ransomware group usually leaks everything on its site.

Early indications suggest the stolen Travel Club data could include names, home and email addresses, phone numbers, loyalty account identifiers, point balances, purchase records and broad marketing profiles. This creates a significant phishing and identity theft risk across Spain.

Travel Club stores high-value behavioural information gathered through brands such as Repsol, Eroski and Iberia; therefore, a breach affects both consumers and business partners.

****Everest, An Active Threat****

The Everest group has recently been very active; in November, Hackread.com reported claims that the group stole 343 GB of data from sportswear giant Under Armour (November 17) and targeted Brazilian petroleum giant Petrobras (November 20), claiming to have stolen over 176 GB of seismic navigation data, which included files from a partner firm. Everest also claimed to have stolen 1.5 million Dublin Airport passenger records in October.

If customer information was taken, Air Miles España must notify the Spanish Data Protection Agency and the affected users under GDPR. Failure to act quickly would result in heavy penalties.

This is a developing story. Until an official statement is released, customers should change their passwords immediately and monitor their accounts for unusual activity.