Top Story: Iberia discloses customer data leak after vendor security breach
Pour yourself a glass of bourbon, because this is the kind of breach that tastes like a cautionary tale you filed under the desk for a reason. Iberia, the Spanish carrier that dreams in aircraft windows and passenger smiles, is quietly notifying customers after a supplier was compromised. The threat actor bragged about access to 77 GB of data, which is almost impressive in the way a runway full of empty promises is impressive. It should be a headline in every vendor risk memo, and yet here we are watching another incident flow through the standard playbook like a budget airline snack service — somehow undercooked, over marketed, and entirely avoidable with a dash of basic due diligence.
What we have is the classic supply chain problem dressed up as a vendor problem. The breach did not occur on Iberia’s own network, it happened because someone who sells things to Iberia did not secure their own stuff properly. This is not a novel plot twist; it is the operating system of modern security. Third party risk continues to be treated as a checkbox instead of a control. But yes, we must still pretend that a simple contract and a slide deck will magically secure critical data. Spoiler alert: it will not. And if you think your team is immune, you are the reason the pit of vendor risk keeps filling up with the corpses of your own dashboards.
The article highlights the inflated rhetoric we all know well from vendor briefings. The usual PR gymnastics follow: a breach at a supplier, a few reassuring statements about compensating customers, and a carefully worded pledge to tighten controls — which in practice means more dashboards and another round of buy-one-get-one-free risk assessments. CISOs and procurement teams will nod along, as if the real problem is a lack of budget rather than a lack of critical thinking when it comes to who you trust with your data. IT culture loves to outsource responsibility and then blame the vendor for not being a mind reader with a security cape.
So what should have happened yesterday, when the risk was still a glimmer in a security consultant’s eye? Real due diligence, continuous vendor monitoring, SBOMs that actually get read, and data minimization that would make any breach hurt less. Instead we get the usual choreography: a breach, a press release, a spike in stock photos of smiling executives, and a sip of something aged to numb the next incident. If you want a practical takeaway, it is this — security is not a season pass bought from a vendor. It is a daily grind that includes tightening third party access, validating provider security postures, and treating supplier risk like the single most important control on your network, not a checkbox you tick between coffee rounds.
Read the original article here: Iberia discloses customer data leak after vendor security breach
