Iberia reported to the Civil Guard Central Operational Unit (UCO), the Data Protection Agency and the National Cybersecurity Institute (INCIBE) the unauthorized external access to a database, which did not compromise flight security.
According to a spokesperson for the airline, cited by Efe, it is a communication repository hosted and managed by third parties, and the information contained in this information exchange system is “limited and non-operational”, although some personal customer data has been obtained.
The extracted information contains names, surnames and email addresses and, to a lesser extent, telephone numbers and Iberia Club membership numbers, although the same source clarifies that “complete and usable data on payment methods or access keys to Iberia accounts” were not obtained.
Although some reservation codes have been extracted for future flights, there is no evidence at this time that any fraudulent activity has been carried out with them.
The airline has contacted affected customers and taken additional security measures, including a double factor so that only customers can manage their bookings.
Iberia regrets the inconvenience this attack may cause to its customers and has activated a free telephone number (900111500) for customers to report any incident, suspicion or anomaly.