Today, the Everest ransomware group published listings for two new victims, Dublin Airport and Air Arabia, on its dark web leak site. This announcement comes just days after the group claimed responsibility for breaching AT&T Careers, alleging the theft of 576,000 records containing personal details of applicants and employees.
Like the AT&T listing, both the Dublin Airport and Air Arabia entries are password-protected. This means the information is locked behind a password and instructs company representatives to “follow instructions” before a deadline expires. The password protection suggests that the full dataset is not yet available for public download or preview and that Everest is restricting access under certain conditions.
Dublin Airport
According to the group’s claims, the Dublin Airport breach includes approximately 1,533,900 personal records, including passenger data. The listing shared by the group shows data fields with detailed passenger and flight-related information that could be used to identify travellers and their travel activity. This includes the following:
- Full name
- Flight date
- Passenger ID
- Seat number
- Flight number
- Departure airport code
- Destination airport code
- Fast track or priority status
- Compartment or travel class
- Timestamp and barcode format
- Departure date and workstation ID
- Frequent flyer airline, number, and tier
- Operating carrier and marketing carrier
- Sequence number and passenger status
- Version number and number of segments
- Airline designator of the boarding pass issuer
- Free baggage allowance and baggage tag numbers
- Date of issue of the boarding pass and document type
- Airline numeric code and document form serial number
- Source of check-in and source of boarding pass issuance
- Device name, device ID, and device type used for check-in
- First and second non-consecutive baggage tag plate numbers
- Selectee indicator and international document verification status
The following screenshot from the Everest ransomware group’s dark web site shows Dublin Airport listed as a victim, along with details of the data the group claims to have stolen:
Air Arabia
For Air Arabia, a low-cost airline based in the United Arab Emirates with its main hub at Sharjah International Airport, Everest claims to possess personal details of more than 18,000 employees.
No other information or sample data has been provided by the group. However, in both cases, the group has given the companies six days to contact them before the stolen data is released online.
Aviation Industry: The New Niche Target of the Everest Ransomware Group?
The Everest ransomware group is known for leaking stolen databases and making extortion demands. Since 2021, the group has listed hundreds of victims, including Coca-Cola and Mailchimp, and is known for targeting corporate databases, employee records, customer information, and financial data.
However, for the last couple of both, it has been targeting the aviation industry. In September this year, a cyberattack caused widespread disruption across several major European airports, affecting check-in systems and passenger processing. The incident was linked to a system outage involving Collins Aerospace, a key provider of airport and airline check-in technology.
Airports, including London Heathrow, Berlin, and Brussels, were among those impacted, leading to delays and operational slowdowns. While UK authorities arrested a 40-year-old man in West Sussex this week in connection with the attack, the Everest ransomware group claimed responsibility for targeting Collins Aerospace.
The group published its claims on its dark web domain on October 7 2025, stating it had breached the company’s systems and accessed sensitive data. In a detailed post titled “MUSE-INSECURE: Inside Collins Aerospace’s Security Failure,” the Everest group described how it allegedly gained access to Collins Aerospace’s systems through an exposed FTP server using easy-to-guess credentials.
According to the group, the server contained documents linked to airline operations and passenger data. Everest claims it downloaded large amounts of information between September 10 and 11 before access was cut off, suggesting the company’s monitoring systems detected the breach.
The group also stated that it contacted Collins Aerospace through a negotiator on September 16, but communication stalled soon after. It further alleged that the company later shut down critical servers related to air travel processes on September 19, which led to disruptions across multiple European airports.
Everest accused the company of poor internal coordination and downplaying the scale of the breach, while denying that it deployed ransomware in this attack.
Nevertheless, as for Dublin Airport and Air Arabia, Hackread.com will continue to monitor for official statements from both organisations, any sample data releases, and credible third-party analyses. If you believe you may be affected, follow recommended protective measures and await official guidance from Dublin Airport, Air Arabia, or the relevant authorities.
