Everest Leaks AT&T Records, Demands $1M for Dublin Airport Passenger Data

The Russian-speaking Everest ransomware group claims to have leaked a database allegedly belonging to AT&T Carrier (att.jobs), the telecom giant’s official job and recruitment platform. The site is used by applicants and employees to apply for roles, submit resumes, and manage career-related information.

On the other hand, the ransomware group is offering the alleged personal details of 1.5 million Dublin Airport passengers for $1 million and the data of 18,000 Air Arabia employees for $2 million.

AT&T Carrier Database

It began on October 21, 2025, when Hackread.com reported that the group claimed to have stolen data from AT&T Carrier. The leaked database allegedly contains personal details of more than half a million individuals, which appear to be recruitment, applicant, or employee records rather than customer information.

The group gave the telecom giant six days to respond and contact them, warning that the data would be leaked if no communication was made. Today, the data was indeed released online. An analysis by Hackread.com found that the leak includes two CSV files, one titled user_list and the other customer_list.

The user_list file contains personal data such as email addresses, full names, and phone numbers of 429,103 individuals. The customer_list file includes email addresses, phone numbers, and last names of 147,621 individuals.

Hackread.com reached out to AT&T on October 24, 2025, but the company has not responded.

Dublin Airport Passenger Data

The Everest ransomware group listed Dublin Airport as a victim on its dark web site on October 25, 2025, giving the company six days to respond. As reported by Hackread.com, the group claimed to possess data belonging to 1.5 million (1,533,900) passengers and warned that it would publish the information online if its demands were ignored.

However, for reasons that remain unclear, the group shortened its deadline and is now offering the entire dataset for $1 million. According to their claims, the data includes the following information:

1. Full name
2. Flight date
3. Passenger ID
4. Seat number
5. Flight number
6. Departure airport code
7. Destination airport code
8. Fast track or priority status
9. Compartment or travel class
10. Timestamp and barcode format
11. Departure date and workstation ID
12. Frequent flyer airline, number, and tier
13. Operating carrier and marketing carrier
14. Sequence number and passenger status
15. Version number and number of segments
16. Airline designator of the boarding pass issuer
17. Free baggage allowance and baggage tag numbers
18. Date of issue of the boarding pass and document type
19. Airline numeric code and document form serial number
20. Source of check-in and source of boarding pass issuance
21. Device name, device ID, and device type used for check-in
22. First and second non-consecutive baggage tag plate numbers
23. Selectee indicator and international document verification status

Irish media has also confirmed the cyber attack.

Air Arabia Employee Data

The ransomware group also claims to have stolen information belonging to 18,000 employees of Air Arabia, a low-cost airline based in the United Arab Emirates with its main hub at Sharjah International Airport.

According to the hackers, the stolen records contain both personal and corporate employee details. The exposed data appears to include identification, contact, and employment information that could be misused for fraud or impersonation. Below is what each data type likely represents:

1. Status – Whether the employee is active, terminated, or on leave.
2. User ID / Username – Unique internal login identifiers that could help attackers access company systems.
3. First name, middle initial, last name, nickname, suffix, title, gender – Standard personal identifiers often used in HR and identity-verification systems.
4. Email – Primary company or personal email address, useful for phishing or social engineering attacks.
5. Manager, HR contact, department, job code, division – Organisational details that reveal reporting structures and company hierarchy.
6. Location and timezone – Worksite or regional information that can narrow down where an employee is based.
7. Hire date – Indicates employment tenure and can help craft convincing fake HR or benefits messages.
8. Business phone and fax – Direct contact lines
9. Address (lines 1 and 2), city, state, ZIP, country – Full physical address information that can expose home or office locations.
10. Matrix manager and proxy – Secondary supervisors or account delegates, potentially giving attackers extra targets for access.
11. Default locale and login method – Technical settings that might show how employees authenticate, such as single-sign-on or password systems.
12. Review frequency, last review date, company exit date, HR performance data and employment status indicators.
13. Custom fields (Custom01–Custom15) – Additional HR or system-specific data, which could include sensitive internal notes or identifiers.
14. Assignment ID external – A unique number linking the employee to external vendors or contractors.
15. Seating chart – Information about the physical desk or office location, which can expose layout and staffing details.

This data is now also for sale for $2 million.

The claims made by the Everest ransomware group add to a growing list of high-profile attacks targeting major companies. Whether all the stolen data is genuine remains unclear, but if confirmed, the impact could be serious for both employees and passengers. So far, AT&T and Air Arabia have not commented on the group’s claims.