Everest gang robs Iberia, wants $6M for stolen data

everest-gang-iberia — Image by Cybernews.

Six million dollars – that’s how much the Everest ransomware gang wants Iberia, the Spanish airline, to pay if it doesn’t want the stolen data to be sold to third parties. Crucially, the trove seems to include fully editable booking information.

The infamous Everest ransomware gang has claimed responsibility for breaching Iberia and stealing 596GB of internal company data.
The group also claims it has had “long-term, unfettered access” to all bookings, with the ability to view and edit them.
That's crucial. Everest themselves say: “A full data leak would have catastrophic consequences for both customers and the company, triggering a massive wave of spam and fraud."

When Iberia notified customers of a data security incident last Sunday, the airline didn’t paint the full picture: the situation seems to be much more serious than the Spanish flag carrier explained.

In the email sent to customers, Iberia claimed that the incident was caused by a compromise at one of its suppliers, and that customers’ account login credentials weren’t nabbed.

🚨Cyber Alert‼️

🇪🇸Spain - Iberia

Iberia Airlines reports a security incident involving unauthorized access to an external provider, exposing customer names, emails, and Iberia Club loyalty IDs.

Sector: Air Transport
Threat class: Cybercrime

Status: Confirmed pic.twitter.com/wFwtBSrfZu
undefined Hackmanac (@H4ckmanac) November 23, 2025

Now, however, the infamous Everest ransomware gang has claimed responsibility for breaching Iberia and stealing 596GB of internal company data.

Ability to edit bookings

On its data leak portal, Everest says the data includes customer names, contact details, birthdates, travel and booking information, masked card data, and marketing profiles.

iberia-everest-screen — Image by Cybernews.

The group also claims it has had “long-term, unfettered access” to all bookings, with the ability to view and edit them. Everest additionally says it has grabbed 430GB of .eml files containing more than five million records.

That’s crucial. Everest themselves say: “Based on the available booking data in the .eml files, the information below can be viewed and edited.”

“A full data leak would have catastrophic consequences for both customers and the company, triggering a massive wave of spam and fraud,” the threat actor adds, claiming that it won’t leak “a single booking” as long as Iberia pays $6 million.

iberia-everest-screen1 — Image by Cybernews.

According to the Cybernews research team, Everest’s claim that it – or whoever purchased the data from the group – can edit bookings from .eml files is likely to be true, as .eml files are used to store email messages, and airlines often include a significant portion of flight details in emails.

“Indeed, Everest is likely in possession of many booking-related details they mention, such as booking references, flight details, or passenger PII (Personally Identifiable Information),” our researchers said.

When a user wants to manage their booking on Iberia’s website, they can log in with their surname and booking reference or with their account credentials.

This way, Everest can modify the booking info by logging in via booking references and customer PII found in .eml files, Cybernews researchers explained. In the posting, Everest also provides screenshots likely taken from Iberia’s website.

iberia-everest-screen2 — Image by Cybernews.

We have once again contacted Iberia’s press team for clarification and will update the article as soon as we receive a response from the airline.

The richness of the trove gives Everest leverage

For Iberia, the situation spells more trouble. That’s because another threat actor claimed in mid-November to be selling 77GB of Iberia’s internal data for $150,000.

In the forum post, the threat actor claimed the data was extracted “directly from the airline’s internal servers,” and contained A320/A321 technical data, AMP maintenance files, engine information, and other internal documents.

iberia-screen-first — Image by Cybernews.

However, Everest’s claims – if true – could cause much more significant financial damage to Iberia.

Since many airlines, including Iberia, include detailed booking and passenger information in their confirmation emails, and since managing a booking often requires only a surname and booking reference, the potential impact of this leak is far more serious than it may appear at first glance.

“Access to large numbers of .eml files effectively allows the gang to tamper with travelers’ itineraries. This gives Everest leverage to ask for significant compensation from the airline,” our researchers said.

Don't miss our latest stories on Google News. Add us as your Preferred Source on Google

And there’s little reason to doubt that Everest has indeed nabbed Iberia’s data. While Everest’s claims have not yet been publicly confirmed by the airline, historical patterns suggest a high level of accuracy.

Everest is one of the most aggressive ransomware groups in operation today. It recently targeted Brazilian petroleum giant Petrobras and Under Armour, the global activewear and footwear brand.

The ransomware gang – believed to be Russia-linked – was first spotted in 2021. It made headlines after the October 2022 attack on the American telecommunications behemoth AT&T.

Unlock more exclusive Cybernews content on YouTube: