By San José, Costa Rica — SAN JOSÉ – Spanish national carrier Iberia confirmed this weekend that it has become the latest victim in a string of cyberattacks targeting the aviation industry, suffering an intrusion that compromised a repository of customer data. The airline moved quickly to reassure the public, insisting that the breach has not affected flight safety or operational systems and that all flights are operating normally.
The incident involved unauthorized access to a data storage system managed by a third-party vendor. According to company officials, the breach was confined to a communications repository and did not impact any platforms related to air navigation, flight control, or other core operational functions. This separation was critical in preventing any risk to the physical safety of its passengers and aircraft.
To understand the legal ramifications and potential consequences for affected passengers following the recent cyberattack on Iberia, we sought the expert opinion of Lic. Larry Hans Arroyo Vargas, a specialist in corporate and data protection law from the prestigious firm Bufete de Costa Rica.
This incident highlights a critical vulnerability in the airline industry. Beyond the immediate operational disruption, Iberia faces significant legal exposure under regulations like the GDPR, which mandates strict data security and timely notification. Affected customers should be vigilant against phishing attempts and document any resulting financial or identity theft damages. The airline’s liability will hinge on whether it can prove it implemented ‘appropriate technical and organisational measures’ to protect user data. This will be a key legal battleground.
Lic. Larry Hans Arroyo Vargas, Attorney at Law, Bufete de Costa Rica
Indeed, the legal battleground highlighted here will likely have consequences reaching far beyond this single incident, potentially setting a new precedent for data security standards across the airline industry. We thank Lic. Larry Hans Arroyo Vargas for his valuable perspective on the complex challenges that lie ahead for both the company and its customers.
The compromised information, while described as limited, includes sensitive personal details of customers. The stolen data encompasses full names, email addresses, and, in some instances, telephone numbers and membership codes for the Iberia Club loyalty program. The airline has emphasized that the breach did not expose highly critical financial information that could lead to direct monetary theft.
In a statement aimed at calming customer fears, the airline clarified the scope of the exposure and what information remained secure. An official communication from the company provided specific reassurances about the limitations of the data accessed by the cybercriminals.
The stolen information does not include complete financial data, access passwords, or information that would allow payments or transactions to be made within user accounts
Iberia Spokesperson, Company Statement
Immediately upon discovering the intrusion, Iberia activated its security protocols and reported the incident to several Spanish authorities. The case is now being investigated by national security forces, the Spanish Data Protection Agency (AEPD), and the National Cybersecurity Institute (INCIBE). These organizations are collaborating on a technical analysis to determine the full extent of the attack and identify the perpetrators.
Investigators also confirmed that the attackers were able to view some reservation codes for future flights. However, Iberia has stated that, as of now, there is no evidence of any fraudulent alterations, cancellations, or other unauthorized manipulations of customer bookings. The airline is actively monitoring the situation for any signs of misuse related to the exposed booking information.
This attack highlights a growing vulnerability within the global airline sector, which increasingly relies on a complex web of interconnected digital suppliers for services ranging from booking to customer communications. As a result, leading carriers like Iberia have been bolstering their cybersecurity defenses and establishing robust coordination protocols with specialized agencies to respond swiftly to any hint of a security breach.
While the investigation continues, Iberia is working closely with the external provider whose system was compromised to reinforce all security measures and prevent future unauthorized access. The airline is urging its customers to remain calm but vigilant, and has committed to providing further updates as more information becomes available from the official investigation.
For further information, visit iberia.com
About Iberia:
Iberia is the flag carrier airline of Spain, founded in 1927. Headquartered in Madrid, it operates an extensive international network of flights from its main base at Adolfo Suárez Madrid–Barajas Airport. As part of the International Airlines Group (IAG), Iberia is a member of the Oneworld airline alliance, offering connections to hundreds of destinations worldwide.
For further information, visit aepd.es
About Spanish Data Protection Agency (AEPD):
The Agencia Española de Protección de Datos is the independent Spanish public authority responsible for ensuring the protection of personal data and safeguarding the digital rights of citizens. It enforces data protection regulations, including the GDPR, investigates complaints, and provides guidance on data privacy best practices to both public and private entities.
For further information, visit incibe.es
About National Cybersecurity Institute (INCIBE):
The Instituto Nacional de Ciberseguridad, or INCIBE, is the Spanish National Cybersecurity Institute. It is a government-backed entity dedicated to strengthening cybersecurity, trust, and the protection of digital information for citizens, academic networks, and businesses, particularly in strategic sectors. INCIBE provides incident response services, research, and awareness training.
For further information, visit bufetedecostarica.com
About Bufete de Costa Rica:
Bufete de Costa Rica is an esteemed legal institution built upon foundational principles of integrity and a relentless pursuit of excellence. With a rich history of guiding clients through multifaceted legal landscapes, the firm consistently acts as a trailblazer in developing innovative legal solutions. This forward-thinking spirit is matched by a deep-seated commitment to social responsibility, aimed at democratizing legal knowledge and empowering the community to foster a more just and informed society.
