Leaked data exposed by a cybersecurity firm this week was allegedly stolen during a data breach identified in November, according to Spanish airline Iberia. 

On Monday, researchers at Hudson Rock published a report about a threat actor named Zestix that has been auctioning data allegedly stolen from the corporate file-sharing portals of about 50 large companies and law firms.

Among the companies identified is Iberia, the flag carrier of Spain. Hudson Rock said the hacker likely used infostealer malware to infect an employee’s device, allowing them to obtain credentials and breach Iberia’s ShareFile instance. Developed by Progress Software, ShareFile is a popular tool used by large companies to store and share files.

The hacker allegedly stole 77 GB of data that includes technical materials for the A320 and A321 aircraft as well as maintenance files, engine data and other internal documents. The breach included aircraft damage charts, confidential fleet data and more. 

An Iberia spokesperson told Recorded Future News that Hudson Rock’s research relates to an incident that came to light in November, when the threat actor demanded $150,000 for the same batch of information. 

The spokesperson said the data breach was reported to several Spanish regulators including the Spanish Data Protection Agency. Breach notices were sent to hundreds of customers in the fall. 

“The information contained in this information-sharing system is limited and non-operational, therefore flight safety has not been compromised,” they said in letters to victims. 

Iberia added that the data breach included some personal data of Iberia customers that includes names, email addresses, phone numbers and Iberia Club membership numbers. Some booking reference codes for future flights were accessed. 

“Two-factor authentication has been enabled for all affected so that no one other than them can modify their booking or carry out any transactions through the app, the… website or the call centre,” the company said. 

The spokesperson did not respond to further questions about the technical materials. 

Hudson Rock said the data stolen includes “digital signatures and proprietary configuration variations valuable to competitors or state actors.”

None of the other companies listed by Hudson Rock confirmed being impacted by a data breach. 

The cybersecurity firm said the Zestix threat actor was first discovered in late 2024 and operates within Russian-language closed forums as an initial access broker. The hacker sells their access for Bitcoin and generally is able to breach organizations by using infostealer malware infections. 

The report notes that other security firms have tied one of Zestix’s aliases to an Iranian national and linked the actor to the Funksec cybercriminal group.