Iberia Airlines has informed its customers that a data breach at one of its suppliers has exposed certain customer information. The Spanish flag carrier says unauthorized access to the supplier’s systems compromised the confidentiality of some customer data. The incident highlights how third-party vendors can become weak links in enterprise security. The airline says it is investigating the matter and working with the supplier.

The information exposed is said to include customers’ full names, email addresses, and loyalty programme identification numbers for the “Iberia Club” scheme. Iberia emphasises that login credentials, passwords or payment-card data were not accessed in this incident. The breach stems from a supplier system rather than Iberia’s own core infrastructure. Because of this, the airline states the direct danger from the breach is limited but still meaningful.

Iberia’s notification to affected customers explains that its security protocols were activated as soon as the incident was discovered. The airline added technical and organisational measures to contain the event and prevent future occurrences. It also introduced a verification procedure for changes to email addresses in customer accounts. Monitoring of suspicious activity has been increased across relevant systems.

So far, Iberia reports no confirmed cases of fraud or misuse of the exposed data. But it warns customers to remain alert for phishing and social-engineering attempts that could use the compromised names and emails. Because the loyalty IDs were exposed, attackers could craft convincing messages pretending to come from the airline. Iberia says it will act swiftly if misuse is detected and will notify those affected further.

The disclosure follows claims by a threat actor that approximately 77 GB of data from Iberia’s systems were being offered for sale. That data allegedly included internal documents, technical maintenance files and aircraft engine information. While the airline says the current breach involves a vendor and limited customer data, the prior claim raises concern over larger security exposure. It remains unclear whether the data being sold and the supplier breach are linked.

This incident underscores the growing risk of supply-chain attacks in the aviation and travel sector. Airlines rely on many external vendors for IT, logistics, maintenance and customer-service functions. Attackers may target the weakest vendor rather than the main organisation itself. Iberia confirms the supplier’s compromise caused the breach, highlighting how third-party risk needs serious attention.

For Iberia customers, the key steps are simple: enable any available security features, review account settings for unusual changes, and watch for unexpected emails that request personal or account information. Changing passwords (particularly if you haven’t done so recently) and being cautious about requests that claim to come from the airline are wise precautions. Vigilance remains important even if your payment card wasn’t part of the breach.

In summary: Iberia has suffered a vendor-linked data breach that exposed names, emails and loyalty IDs of customers, but not login or payment credentials according to the airline. The company is investigating, has added protections and is urging customers to stay alert. The event serves as a reminder that even trusted organisations may be compromised via third-party relationships in the supply chain.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news