A Russian-linked ransomware group known as Everest has claimed responsibility for a major cyberattack on Dublin Airport, alleging the theft of more than 1.5 million passenger records. The group posted a ransom note on its dark web leak site, threatening to publish the stolen information unless payment demands are met.
Scope of the Data Breach and Impact on Passenger Information
Everest claimed to have exfiltrated a dataset containing 1,533,900 passenger records from Dublin Airport systems. The data reportedly includes names, passport details, booking references, ticket serial numbers, seat assignments, and flight itineraries. Analysts who reviewed the group’s post also noted the inclusion of device identifiers and digital check-in records, suggesting a compromise of systems integrated with airline operations.
The affected data appears to correspond to passengers who traveled through the airport in August 2025. While no verified samples of the data have been published, the group’s dark web post includes a countdown timer indicating that files will be leaked if negotiations fail.
A spokesperson for the Dublin Airport Authority (DAA) stated that there is “no current evidence” of a direct intrusion into airport-owned systems.
“We are aware of the claims made online and are investigating a potential data incident involving one of our third-party partners,” the DAA said in a public statement. “There is no indication that our internal infrastructure has been compromised.”
The DAA added that it is working closely with law enforcement and the Data Protection Commission of Ireland to determine the extent of the alleged breach.
Technical Analysis and Possible Attack Vector
Preliminary investigations indicate that the breach may have originated from a third-party vendor connected to the airport’s passenger processing systems. This aligns with Everest’s known tactics, which often exploit weaknesses in supply chain networks to gain access to target organizations.
Cybersecurity analysts monitoring Everest’s activity have linked the group to attacks that rely on stolen credentials, Remote Desktop Protocol (RDP) exploitation, and unpatched vulnerabilities in vendor-managed systems. Once initial access is gained, Everest typically performs network reconnaissance, deploys lateral movement tools, and exfiltrates data to external servers before encryption occurs.
The Dublin Airport intrusion follows a similar pattern to the recent Collins Aerospace incident, which disrupted airport services across Europe earlier this month. Both operations exhibit overlapping TTPs (tactics, techniques, and procedures), including stealthy data exfiltration prior to extortion.
Implications for Aviation Security
The incident underscores a growing trend of ransomware operators targeting aviation infrastructure, particularly entities dependent on interconnected IT systems. Dublin Airport handles over 35 million passengers annually, making it a high-value target for financially motivated threat actors seeking to exploit operational dependencies.
Everest’s decision to claim responsibility without immediate data release is consistent with its “pressure-first” extortion model, designed to force negotiations. Security experts warn that if the exposed records are genuine, they could be leveraged for identity theft, travel scams, and phishing campaigns impersonating airlines or booking systems.
“Information such as booking references, ticket numbers, and frequent flyer data is extremely valuable on dark markets, where it can be used for account takeovers and social engineering,” said one threat intelligence researcher familiar with the case.
Everest, which first appeared in 2021, operates through a network of affiliates who perform intrusions while the core group manages data publication and negotiations. Past victims include major corporations across Europe and the United States, reflecting the group’s capability to execute multi-vector ransomware campaigns at scale.
Law enforcement agencies, including Europol and INTERPOL, are reportedly monitoring the situation as part of ongoing efforts to curb ransomware operations targeting critical transport sectors.
