top of page
Search

Everest Ransomware Takes Iberia for a Ride

  • Writer: FAIR INTEL
    FAIR INTEL
  • Nov 28
  • 17 min read
ree

Synopsis

The analysis indicates that Everest is a highly capable, financially motivated ransomware group able to maintain long-term access, conduct large-scale exfiltration of structured customer and payment data, manipulate operational records, and in some cases encrypt core systems, creating a single loss event that spans operational disruption, regulatory exposure, and widespread customer impact. This information elevates strategic decision making by forcing executives to address quantified risks tied to customer-data concentration, partner integrations, and resilience of booking and loyalty platforms; influences operational decisions by prioritizing stronger monitoring, segmentation, identity governance, and recovery planning; and shapes tactical actions around detection engineering, access auditing, and rapid-response readiness. Overall risk posture becomes more urgent, as susceptibility is high and TEF is supported by repeated attacks across similar organizations, demanding tighter governance and clearer accountability. Financial resilience is directly affected because losses include both primary and secondary cost drivers—response labor, disruption, GDPR exposure, fraud mitigation, and customer churn—making investment in controls, monitoring, and business continuity a financially rational requirement rather than an optional improvement.



Evaluated Source, Context, and Claim

Artifact Title

Everest ransomware claims breach at Spain’s national airline Iberia with 596 GB data theft


Source Type

Cybersecurity news article published on HackRead.com


Publication Date

November 25, 2025


Credibility Assessment

HackRead is a long-running cybersecurity news outlet that frequently reports on ransomware activity and leak-site claims, and its reporting is generally consistent with observable OSINT patterns. However, the information is still based on adversary-controlled leak-site statements, which require cautious interpretation.


General Claim

The OSINT reports that the Everest ransomware group claims to have breached Iberia and Air Miles España, stealing large volumes of sensitive customer and booking data and threatening public leaks if negotiations fail.


Narrative Reconstruction

The OSINT describes the Everest ransomware group, a financially motivated, organized cybercriminal actor, claiming it gained long-term unauthorized access to Iberia’s customer and booking environment and to Air Miles España’s Travel Club systems, exfiltrating large data sets (including identities, loyalty and Avios balances, travel histories, ticket and booking details, IberiaPay payment records, and Travel Club behavioral and contact data) and, in the Travel Club case, also encrypting internal systems in a classic double-extortion pattern. The implied killchain-style flow is initial compromise of airline and loyalty program infrastructure by unknown means, establishment of persistent access with the ability to read and modify bookings, bulk collection and ex

filtration of high-value customer and transactional data, followed by extortion backed by the threat of large-scale leak-site publication and system disruption if the organizations do not pay. The primary assets targeted are airline and loyalty-program customer PII, payment and loyalty records, booking and travel history data, and associated partner behavioural datasets, with critical internal booking and rewards-processing systems also at risk from encryption. The operational goal is to monetize access through ransom demands and potential resale or criminal use of stolen data, with secondary leverage created by regulatory exposure and customer impact. Translated into a FAIR risk scenario, this becomes: a financially motivated ransomware group with demonstrated capability to obtain persistent access to airline and loyalty-program environments compromises Iberia’s and Air Miles España’s customer and booking platforms, exfiltrates hundreds of gigabytes of sensitive customer and payment data, encrypts key internal systems, and threatens public disclosure and prolonged service disruption to coerce payment, driving a single loss event that combines response and recovery costs, regulatory penalties, fraud and identity theft fallout, and customer churn across multiple regions.


Risk Scenario

Risk Scenario

A financially motivated ransomware group with demonstrated capability for persistent access, unauthorized data extraction, and operational disruption compromises airline and loyalty-program systems such as those operated by Iberia and Air Miles España. The adversary gains long-term access to customer, booking, payment, and loyalty environments, allowing them to harvest and exfiltrate hundreds of gigabytes of structured personal, transactional, and behavioral data covering millions of users. In parallel, the group can modify operational records, alter bookings, and in at least one case encrypt internal systems to coerce payment. This combination of data theft, service disruption, and extortion results in a single loss event that includes customer data disclosure across multiple regions, interruption of booking and rewards operations, high response and recovery costs, GDPR regulatory exposure, reputational harm, increased fraud and identity-theft risks for affected users, and measurable customer attrition driven by reduced trust and service instability.


Threat

The threat actor is a financially motivated ransomware group claiming long-term access to Iberia and Air Miles España systems, consistent with organized criminal operators engaged in double-extortion campaigns. Their behavior indicates capability to maintain persistence, exfiltrate structured data at scale, and disrupt operations through system encryption.


Method

The OSINT does not specify how initial access or persistence were achieved, but a plausible and reasonable speculation—based on common patterns associated with similar ransomware operations—is that initial entry may have occurred through compromised credentials, exploitation of an unpatched internet-facing system, or intrusion via a partner integration point. From this foothold, the actor could have established sustained persistence through techniques such as credential harvesting, installation of covert remote access mechanisms, or abuse of legitimate administrative tools. This speculative pathway aligns with the reported outcome of long-term access, the ability to read and alter bookings, and later exfiltration and encryption activities, while acknowledging that the exact intrusion vector is not described in the OSINT.


Asset

The primary assets at risk are customer identity data, loyalty and payment information, booking and travel history data, internal booking and rewards-processing systems, and associated behavioral datasets. These assets include both structured customer records and operational airline or loyalty-service systems required to maintain normal business functions.


Impact

The impacts include high-magnitude data disclosure, potential large-scale identity theft, disruption of booking and loyalty operations due to encryption, regulatory penalties under GDPR, recovery and response costs, reputational damage across Spain and Latin America, and customer churn driven by loss of trust and service instability.


Evidentiary Basis for Synopsis and Recommendations

Supporting observations from the analysis help clarify how the threat landscape, control environment, and organizational behaviors interact to shape overall risk exposure. These insights provide the foundation for identifying where controls perform well, where gaps or weaknesses create unnecessary vulnerability, and how attacker methods intersect with real-world operational conditions. Building on these findings, the recommendations that follow focus on strengthening resilience, improving decision-making, and guiding readers toward practical steps that enhance both security posture and risk-informed governance.


FAIR Breakdown

Because the OSINT describes multiple successful campaigns across several large organizations in a short window (Iberia, Air Miles España, Under Armour, Petrobras, Dublin Airport), we can reasonably infer high activity and repeated targeting within the travel, retail, and energy sectors.


Threat Event Frequency (TEF)

The estimated Threat Event Frequency is approximately 0.8 to 1.5 events per year, a speculative but justified range based on the actor’s demonstrated campaign tempo and the repeated, closely timed breaches attributed to the group.


Contact Frequency (CF)

Contact Frequency can be inferred from the actor’s demonstrated behavior; although the OSINT does not explicitly document scanning or phishing, the scale and frequency of the reported breaches indicate regular reconnaissance and repeated attempts, likely occurring multiple times per month. This supports a speculative estimate of roughly 12 to 24 contact events per year. The repeated targeting of travel-sector organizations—such as Iberia, Dublin Airport, and the Travel Club ecosystem—further suggests focused sector-specific activity and sustained probing of similar environments.


Probably of Action (PoA)

The Probability of Action is high, driven by Everest’s clear financial motivation and reliance on double extortion, data theft, and ransom-driven operations that historically produce consistent follow-through once access is obtained. The actor’s pattern of multiple successful breaches within a single month reflects an aggressive campaign pace, supporting a speculative PoA estimate in the range of 0.7 to 0.85.


Threat Capability (TCap)

The OSINT supports assessing Everest as a high-capability threat actor, demonstrated by its ability to maintain long-term persistence within enterprise environments, extract large volumes of structured customer and operational data, manipulate booking information, and encrypt internal systems during extortion phases. These behaviors reflect a level of operational maturity and technical proficiency consistent with advanced criminal ransomware operations, supporting a justified speculative Threat Capability rating in the range of 7.5 to 9 on the FAIR 1–10 scale.


Exploit sophistication: The actor’s ability to compromise major enterprises across different sectors suggests a moderately advanced level of exploitation capability. While the OSINT does not reveal specific vulnerabilities used, the successful breaches imply the use of reliable intrusion methods and adaptable techniques.


Bypass ability: The reported long-term access and ability to alter booking information indicate that the actor can bypass or evade existing security controls for extended periods. This suggests proficiency in maintaining stealth, exploiting misconfigurations, or leveraging legitimate administrative mechanisms.


Tooling maturity: The presence of dark-web leak infrastructure, dedicated extortion portals, and tooling that enables both encryption and large-scale exfiltration indicates a refined operational toolkit. These capabilities reflect a structured, repeatable attack model rather than ad hoc tooling.


Campaign success rate: Multiple breaches across high-value companies in a compressed time window imply that a substantial portion of the actor’s intrusion attempts are successful. This level of consistency is characteristic of mature ransomware groups with established playbooks.


Attack path sophistication: The ability to read, modify, and manipulate live booking data suggests the actor moved laterally within internal systems and accessed privileged operational environments. Such post-exploitation behavior requires knowledge of internal architectures and careful execution.


Cost to run attack: The likely use of ransomware-as-a-service infrastructure, shared tooling, and commoditized access markets reduces overall operational cost for the actor. This makes the attack model highly feasible and economically efficient while still enabling high-impact outcomes.


Control Strength (CS)


Resistive Strength (RS)

The available OSINT suggests that preventive and detective controls were not sufficiently effective to stop the actor from gaining and sustaining long-term access within the affected environments. The fact that the attacker could extract large volumes of data and even modify live booking records indicates that controls either failed to detect early-stage intrusion activity or were unable to respond quickly enough to interrupt the attacker’s operations. Based on these conditions, a speculative Resistive Strength value of approximately 4.5 is reasonable, reflecting moderate-to-weak defensive capability against this specific threat.


Control Failure Rate

Control Failure Rate appears considerably elevated due to the attacker’s ability to maintain persistence, navigate internal systems, and manipulate sensitive booking information without timely detection or disruption. Such outcomes suggest multiple layers of control breakdown, including possible gaps in monitoring, misconfigurations, or insufficient segmentation that allowed the attacker to move through the environment with limited resistance. Given these indicators, a speculative CFR in the range of 0.6 to 0.7 is appropriate, reflecting a high likelihood that controls failed during critical phases of the intrusion.


Susceptibility

Susceptibility is determined by comparing the threat actor’s estimated capability of around 8 to the organization’s control strength of roughly 5, placing it in a high-susceptibility range supported by the confirmed compromise. This elevated level is reinforced by high exploitability demonstrated through persistent access, a broad attack surface spanning airline and loyalty systems, significant exposure conditions tied to large interconnected data environments, and the implication that patching or configuration controls were not fully effective. Taken together, these factors justify a concise susceptibility estimate of approximately 0.7 (70 percent).


Numerical Frequencies and Magnitudes

All values below are example/speculative values only and must be recalibrated to each organization’s own asset values, control strength, and telemetry.


Loss Event Frequency (LEF)

0.7/year (estimated)

  • Justification: The OSINT describes multiple successful breaches by the same actor across several large enterprises within a short period, indicating a high operational tempo. Combined with the organization’s estimated susceptibility, this supports a recurring likelihood of major events rather than isolated incidents.


Vulnerability (probability of harm per contact): 0.70

  • Everest demonstrates high technical capability, including long-term persistence in enterprise environments, large-scale exfiltration of structured customer and behavioral data, manipulation of live booking records, and encryption of internal systems as part of a double-extortion model. At the same time, the observed outcomes suggest that preventive and detective controls—such as segmentation, large-data-movement monitoring, and identity/access governance—were not sufficient to prevent or rapidly detect the intrusion. This mismatch between a capable, well tooled ransomware group and moderate control strength supports a credible probability of harm per meaningful contact in the 65–80 percent range, with 70 percent as a defensible midpoint.


Secondary Loss Event Frequency (SLEF)

0.4/year

  • Justification: The breach involves millions of affected users, highly regulated EU personal data, and partners across a wide ecosystem. These conditions make secondary consequences—such as regulatory investigations, fraud claims, mandatory notifications, and partner fallout—likely to occur after the initial event.


Loss Magnitude (LM)

Estimated range:

  • Minimum: $8,000,000

  • Most Likely: $20,000,000

  • Maximum: $45,000,000

Justification:

Minimum estimates reflect essential containment actions, core forensic investigation, limited system restoration, and short-duration operational disruption. The most-likely values account for broader recovery operations, extensive incident response labor, prolonged booking or loyalty-platform downtime, and large-scale customer support burdens associated with millions of affected users. Maximum values represent severe outcomes such as protracted operational interruption, full system rebuilds following encryption, and widespread exposure of high-value personal, behavioral, and payment-linked data across international customer bases.


Secondary Loss Magnitude (SLM)

Estimated range:

Minimum: $5,000,000

Most Likely: $18,000,000

Maximum: $60,000,000

Justification:

Minimum estimates involve baseline regulatory filings, partner notifications, legal consultation, and initial reputational repair efforts. Most-likely estimates incorporate GDPR-driven compliance and penalty exposure, substantial identity-theft mitigation costs, class-action litigation risks, and measurable customer churn across Spain and Latin America. Maximum values account for extended brand damage, significant partner-ecosystem disruption, long-term fraud mitigation, and the amplified downstream effects associated with high-volume exfiltration of regulated EU personal and behavioral data.


Mapping, Controls, and Modeling


MITRE ATT&CK Mapping

Due to the lack of detailed information, there will be gaps in the mapping. Therefore, the following mapping is considered best effort.


Persistence

T1053 – Scheduled Task / Job

Reference: “Had long-term access with the ability to read and alter bookings.”

Lateral Movement

T1078 – Valid Accounts (application-level authenticated access)

Reference: “Ability to read and alter bookings… viewing or cancelling tickets.”

Collection

T1530 – Data from Cloud Storage

Reference: “Extracted a 596 GB database… booking-related mail files… 131 GB of data.”

T1005 – Data from Local System

Reference: “Full identity information, loyalty details… payment records.”

Exfiltration

T1041 – Exfiltration Over C2 Channel (generic)

Reference: “Extracted a 596 GB database… stole about 131 GB of data.”

Impact

T1486 – Data Encrypted for Impact

Reference: “Locked internal systems… follows the double extortion pattern… encrypt systems and demand payment.”

T1657 – Data Manipulation

Reference: “Changing contact details… modifying seats… cancelling tickets within fare rules.”


NIST 800-53 Affected Controls

Due to the lack of detailed information, there will be gaps in the mapping. Therefore, the following mapping is considered best effort.


AC-3 — Access Enforcement

Activity: Unauthorized access to booking systems and ability to modify operational data.

Reference: “Everest also says it had long-term access with the ability to read and alter bookings… changing contact details, adjusting emergency contacts, modifying seats, meals, and other add-ons, and viewing or cancelling tickets.”This activity demonstrates a direct failure of AC-3, which is intended to enforce access control decisions (see AC-3 discussion on page 24 of the NIST file). The actor’s ability to modify records indicates that system objects were not protected by proper access enforcement mechanisms.

AC-6 — Least Privilege

Activity: Unauthorized modification of sensitive customer and booking information.

Reference: “Ability to read and alter bookings… modifying seats, meals… changing contact details.”This violates AC-6’s requirement that subjects operate with the minimum privileges required (AC-6 related discussion referenced under MAC policies on page 24). The attacker clearly obtained privileges far beyond any acceptable authorization.

AC-17 — Remote Access

Activity: Long-term remote unauthorized access to Iberia’s and Travel Club systems.

Reference: “Everest also says it had long-term access with the ability to read and alter bookings.”The AC-17 control mandates that remote access be monitored and controlled, including confidentiality and integrity protections (AC-17 found on page 458). Persistent illicit access indicates that remote access governance was bypassed or insufficiently monitored.

AU-6 — Audit Record Review, Analysis, and Reporting

Activity: Attacker persistence and data manipulation went undetected for an extended period.

Reference: “Everest also says it had long-term access with the ability to read and alter bookings.”AU-6 requires reviewing audit logs for suspicious activity. Long-term undetected access suggests audit logs were not reviewed or were ineffective in detecting anomalous booking modifications.

SC-28 — Protection of Information at Rest

Activity: Theft of entire databases containing identity, loyalty, and payment information.

Reference: “Stolen data includes full identity information, loyalty details, Avios balances, travel histories… payment records from IberiaPay.”The compromise of massive data sets indicates inadequate encryption or storage protections for information at rest, which SC-28 requires.

SC-7(10) — Boundary Protection | Prevent Exfiltration

Activity: Large-scale exfiltration of 596 GB and 131 GB of sensitive data.

Reference: “Extracted a 596 GB database… stole about 131 GB of data from Air Miles España.”This directly conflicts with SC-7(10), which requires organizations to prevent both intentional and unintentional exfiltration (see page 327–328 of the NIST file).

SC-5 — Denial-of-Service Protection (Applicable to Ransomware Locking Systems)

Activity: Attackers encrypted internal systems as part of double extortion.

Reference: “Then locked internal systems… attackers take files, then encrypt systems and demand payment.”Ransomware encryption constitutes a form of availability attack. SC-5 requires defenses against DoS-related disruptions, including malicious system-locking.

CP-10 — System Recovery and Reconstitution

Activity: System encryption required restoration from backups or reconstitution.

Reference: “Locked internal systems… encrypt systems and demand payment.”This impacts CP-10, which requires the ability to restore systems to a secure state after a disruption. Encryption by ransomware directly tests recovery controls.

IR-4 — Incident Handling

Activity: Large-scale breach and extortion operation requiring coordinated incident response.

Reference: “This follows the double extortion pattern… demand payment to stop public release.”IR-4 mandates containment, eradication, and recovery activities. A successful long-term compromise indicates a failure of early detection and response mechanisms.

SI-4 — System Monitoring

Activity: Persistent undetected access and data manipulation.

Reference: “Long-term access with the ability to read and alter bookings.”SI-4 requires monitoring for anomalous behavior and indicators of compromise. Undetected illicit activity over time reflects monitoring control gaps.

PM-5 — System Inventory Restrictions (Applicable to PII in Large Databases)

Activity: Exposure of millions of customer records, including PII and payment data.

Reference: “Full identity information, home and email addresses, loyalty account identifiers, point balances…”PM-5 relates to restricting access to specific information types (page 55). Unauthorized access to large datasets indicates breakdowns in information-type-specific restrictions.

 

Monitoring, Hunting, Response, and Reversing

Reducing susceptibility involves improving an organization’s ability to detect and understand abnormal activity before it causes harm. When monitoring, hunting, response, reverse-engineering, and CTI recommendations are implemented together, they close gaps that attackers rely on and create earlier, more reliable warning points. Stronger visibility, clearer detection logic, and faster containment limit an adversary’s opportunities to succeed. Combined, these practices form a layered defense that meaningfully lowers the likelihood that an exposed asset will be compromised.


Monitoring

Monitoring should emphasize telemetry from network, endpoint, cloud, identity, email, and DNS sources to detect long-term unauthorized access, large data movements, and abnormal booking or loyalty-data changes. Network and DNS logs should capture the volume and destination of database and application traffic, while endpoint and cloud logs record process activity and file access on application servers. Identity systems must log privilege use and access to sensitive applications with sufficient detail, and application logs should capture every booking or profile change. Key indicators include repeated contact-detail changes, abnormal access to large datasets, unusual login patterns, and early signals of encryption activity. Gaps exposed by this threat include weak application-level logging, limited data-exfiltration visibility, and insufficient identity-to-data correlation. Correlation should fuse identity, application, and network events to flag privileged access tied to bulk reads or suspicious modifications. Dashboards should highlight high-risk identities, major data-transfer events, and anomalous booking activity, with validation through replayed export jobs and simulated long-term misuse to confirm alert fidelity.


Hunting

Hunting should expand on hypotheses such as attackers using valid or elevated accounts to maintain long-term access, performing abnormal high-volume queries against customer or loyalty databases, or staging data in preparation for exfiltration and encryption. Telemetry should come from application audit trails, identity logs, endpoint monitoring on application and database servers, and network flow data that highlights unusual transfer patterns or persistent external connections. Detection logic should correlate repeated profile or booking changes, sequences of export-like queries, or file-access bursts that precede ransomware activity. Noise reduction requires tuning out known batch processes, scheduled reporting jobs, and legitimate large-volume users, while iteratively refining hunts to distinguish normal operational workloads from subtle signs of malicious, long-term misuse. Hunts should be rerun over extended time windows to catch slow-moving or intermittent adversary behaviors typical of persistent access.


Response

Response should gather detailed logs from application, database, identity, endpoint, and network sources to determine how long access was maintained and what data was taken. Artifacts include unusual login patterns, high-volume queries, inconsistent customer or booking changes, and signs of encryption activity. Event reconstruction should trace backward from any extortion or encryption indicator to identify lateral movement, bulk access, and exfiltration. DFIR outputs should quantify affected data sets and operational impact to support FAIR loss modeling. Likely containment involves revoking compromised accounts, isolating affected servers, blocking outbound destinations, and disabling risky integrations. Priority artifacts include complete audit logs, database query histories, identity timelines, EDR traces, and extortion communications, while gaps should be validated with tabletop and technical simulations.


Reverse Engineering

Reverse engineering should take a structured approach to any binaries, scripts, or tools recovered, focusing on how loaders establish footholds, escalate access, and prepare for large-scale data theft and encryption. Analysts should examine whether the tooling uses staged payloads, selective targeting, environmental checks, or obfuscation to avoid detection and blend into normal processes. Persistence and evasion analysis should look for artifacts such as scheduled tasks, service modifications, web shells, or administrative-tool abuse that align with the reported long-term unauthorized access. Teams should extract and document indicators like file paths, registry keys, mutexes, encryption routines, and any command-and-control artifacts to support monitoring and hunting efforts. Dynamic analysis should observe data-access routines, compression or staging functions, and encryption workflows, while static analysis identifies embedded configuration, hardcoded values, or operational logic. In cases where OSINT lacks detailed malware information, analysts should compare recovered samples with known ransomware families and double-extortion toolkits to identify shared techniques without asserting attribution.


CTI

CTI efforts should emphasize more detailed PIR evaluation, determining not only whether this actor targets similar sectors but also whether their victim profiles share architecture, integrations, or data types with the organization’s environment. Analysts should estimate campaign recurrence by tracking how often Everest posts new claims, whether their targeting clusters around airlines, travel affiliated systems, or identity-rich data stores, and whether seasonal or opportunistic patterns emerge. TTP-focused analysis should compare incidents for recurring behaviors such as persistent access, data staging, booking or profile manipulation, and structured dataset exfiltration, documenting how these map to ATT&CK for detection and control alignment. CTI should identify missing IOCs, infrastructure gaps, malware samples, or telemetry needed to confirm or rule out similar activity internally, prioritizing data from booking, loyalty, payment, and behavioral datasets like those compromised in the OSINT. Collection should expand across OSINT vendors, dark-web leak monitoring, ISAC/ISAO channels, malware repositories, and internal high-value systems to maintain visibility into evolving activity. Mapping and clustering should link related infrastructure, repeated targeting behavior, and common TTPs, rating each analytic conclusion by confidence level and identifying trendlines such as growing focus on loyalty accounts or expansion into partner ecosystems. These outputs should continuously inform monitoring enhancements, hunting priorities, and FAIR risk quantification.


GRC and Testing

Governance

Governance should focus on testing whether current policies explicitly address long-term unauthorized access, large-scale data exfiltration, and ransomware-driven operational disruption in airline, loyalty, and partner-integrated environments. Policy adequacy should be reviewed across information security, identity and access management, third-party/partner access, data protection, and incident response to ensure they cover persistent access to booking and loyalty systems, protection of large structured datasets, and double-extortion scenarios with both encryption and leak threats. Oversight functions should give boards and executive risk committees clear visibility into ransomware and data-theft risk, using FAIR-aligned metrics such as loss event frequency, loss magnitude ranges, and susceptibility for high-value assets like booking platforms and loyalty databases. Governance documents in the RA, PM, and PL families should be refreshed to align stated risk appetite, risk assessment methodology, and program plans with the demonstrated threat capability, explicitly prioritizing controls around access enforcement, monitoring, backup and recovery, and data-at-rest protection. Risk registers should be updated to add or refine entries for persistent ransomware actors targeting customer, payment, and loyalty data, including quantified ranges and identified control gaps. Board and executive communications should move beyond generic “ransomware risk” language and instead present concise narratives that tie this scenario to concrete business impacts (customer churn, regulatory exposure, operational disruption), along with specific remediation and investment decisions that governance expects management to execute and report against.


Audit and Offensive Security Testing

Audit and offensive testing should be aligned directly to the weaknesses implied by the scenario: long-term unauthorized access, undetected data exfiltration, and successful system encryption in booking and loyalty environments. Internal and external audits should explicitly test whether controls like access enforcement, logging and monitoring, backup integrity, and recovery processes operate effectively on systems that store customer identity, payment, and loyalty data, documenting evidence gaps as concrete vulnerabilities rather than general findings. Policies and controls governing privileged access, remote access, data loss prevention, and third-party connectivity should be sampled against real systems to validate that they are implemented as written, especially on high-value applications analogous to Iberia’s booking platform and Travel Club’s loyalty systems. Red team exercises should target realistic objectives such as gaining persistent access to booking or loyalty data stores, manipulating operational records, and staging exfiltration without detection; purple team activities should convert those attack paths into specific, tested detections and response playbooks. Penetration testing scopes should be expanded to include partner-facing portals, admin interfaces, and data-export mechanisms, with explicit goals of reproducing data-access and exfiltration paths rather than focusing solely on perimeter scanning. Across all activities, control validation should measure whether monitoring, access control, and recovery capabilities actually interrupt or contain simulated ransomware and data-theft workflows, feeding concrete evidence back to governance, risk, and FAIR modeling.


Awareness Training

Awareness training should be updated to reflect that persistent access and large-scale data theft are often enabled by weaknesses in identity handling, partner interactions, and operational discipline, even when the initial intrusion vector is not fully known. While the OSINT does not detail specific social engineering lures, training should still emphasize credential protection, safe handling of access to booking and loyalty systems, and careful verification of unusual access or data requests, especially for staff who can view or change large volumes of customer or loyalty information. Role-specific adjustments are needed: administrators should receive deeper instruction on secure use of privileged tools and recognizing suspicious changes or automation jobs; finance and legal teams should understand the implications of double-extortion and leak threats; customer-facing staff should be prepared to spot and escalate signs of account takeover or unusual booking changes; and executives should know how to respond to extortion attempts without amplifying risk. Behavioral indicators to highlight include repeated unexplained changes to customer contact details, irregular booking modifications, unexpected export requests, and any communication suggesting data theft or encryption. Phishing and social-engineering simulations, even if not explicitly tied to this OSINT, should be tuned to scenarios that could lead to credential theft or misuse of remote access to high-value systems. Training communications should give clear guidelines for high-risk interactions involving email, remote access, booking platforms, and customer-data handling, supported by regular reinforcement cycles and metrics such as completion rates, simulation performance, and incident-reporting trends to assess effectiveness and guide further refinement.




Comments

Commenting on this post isn't available anymore. Contact the site owner for more info.
bottom of page