Date of Incident:
2024-04

Overview:

The Iberia Customer Data Leak, reported on November 23, 2025, involved unauthorized access to a third-party vendor’s system supporting Iberia in April 2024. This breach exposed customer names, email addresses, and loyalty card IDs but did not compromise login credentials, passwords, or payment card information. The attack leveraged vulnerabilities and involved techniques like credential stuffing and data exfiltration, with indicators of compromise including suspicious IPs and anomalous login events.

>>Outpace Attackers With AI-Based Automated Penetration Testing

Impact:

Exposure of customer information including name, email address, and loyalty card identification numbers due to unauthorized access to a supplier’s systems. No login credentials, passwords, or payment card information were compromised.

Details:

The breach involved unauthorized access to a third-party vendor’s system that supported Iberia. The attack is mapped to MITRE ATT&CK technique T1078 (Valid Accounts) and T1190 (Exploit Public-Facing Application). The adversary exploited a vulnerability in the supplier’s infrastructure to access customer data including names, emails, and loyalty card IDs. Indicators of Compromise include suspicious IP addresses associated with the vendor’s network, anomalous login events in the vendor access logs, and outbound communications to known malicious domains. Proof-of-concept behavior indicated use of credential stuffing followed by data exfiltration pipelines. Relevant log artifacts include vendor server authentication logs showing unusual access patterns and HTTP 403/401 error logs correlating with brute force attempts.

Remediation:

Vendor has released a patch to fix the exploited vulnerability and recommends immediate application. Temporary mitigations include tightening access controls, implementing multi-factor authentication for vendor access, network segmentation between vendor and Iberia systems, and continuous monitoring for anomalous activities. Known workarounds include disabling the affected vendor system modules until patched.

Takeaway for CISO:

The breach underscores the critical importance of third-party vendor risk management, especially regarding access controls and continuous monitoring. CISOs should enhance vendor security assessment procedures, enforce stronger authentication, and ensure rapid patch deployment processes are in place to mitigate downstream impacts from supply chain attacks.