The Russian-speaking Everest ransomware group claims to have leaked a database allegedly belonging to AT&T Service (att.jobs), the telecom large’s official job and recruitment platform. The location is utilized by candidates and staff to use for roles, submit resumes, and handle career-related info.
Alternatively, the ransomware group is providing the alleged private particulars of 1.5 million Dublin Airport passengers for $1 million and the information of 18,000 Air Arabia staff for $2 million.
AT&T Service Database
It started on October 21, 2025, when Hackread.com reported that the group claimed to have stolen information from AT&T Service. The leaked database allegedly accommodates private particulars of greater than half 1,000,000 people, which seem like recruitment, applicant, or worker information quite than buyer info.
The group gave the telecom large six days to reply and phone them, warning that the information can be leaked if no communication was made. At present, the information was certainly launched on-line. An evaluation by Hackread.com discovered that the leak contains two CSV information, one titled user_list and the opposite customer_list.
The user_list file accommodates private information reminiscent of e-mail addresses, full names, and telephone numbers of 429,103 people. The customer_list file contains e-mail addresses, telephone numbers, and final names of 147,621 people.
Hackread.com reached out to AT&T on October 24, 2025, however the firm has not responded.
Dublin Airport Passenger Knowledge
The Everest ransomware group listed Dublin Airport as a sufferer on its darkish web page on October 25, 2025, giving the corporate six days to reply. As reported by Hackread.com, the group claimed to own information belonging to 1.5 million (1,533,900) passengers and warned that it could publish the knowledge on-line if its calls for have been ignored.
Nevertheless, for causes that stay unclear, the group shortened its deadline and is now providing your entire dataset for $1 million. Based on their claims, the information contains the next info:
- Full title
- Flight date
- Passenger ID
- Seat quantity
- Flight quantity
- Departure airport code
- Vacation spot airport code
- Quick observe or precedence standing
- Compartment or journey class
- Timestamp and barcode format
- Departure date and workstation ID
- Frequent flyer airline, quantity, and tier
- Working provider and advertising and marketing provider
- Sequence quantity and passenger standing
- Model quantity and variety of segments
- Airline designator of the boarding cross issuer
- Free baggage allowance and baggage tag numbers
- Date of subject of the boarding cross and doc sort
- Airline numeric code and doc type serial quantity
- Supply of check-in and supply of boarding cross issuance
- Machine title, machine ID, and machine sort used for check-in
- First and second non-consecutive baggage tag plate numbers
- Selectee indicator and worldwide doc verification standing
Irish media has additionally confirmed the cyber assault.
Air Arabia Worker Knowledge
The ransomware group additionally claims to have stolen info belonging to 18,000 staff of Air Arabia, a low-cost airline primarily based within the United Arab Emirates with its important hub at Sharjah Worldwide Airport.
Based on the hackers, the stolen information include each private and company worker particulars. The uncovered information seems to incorporate identification, contact, and employment info that might be misused for fraud or impersonation. Under is what every information sort possible represents:
- Standing – Whether or not the worker is energetic, terminated, or on go away.
- Person ID / Username – Distinctive inside login identifiers that might assist attackers entry firm methods.
- First title, center preliminary, final title, nickname, suffix, title, gender – Normal private identifiers typically utilized in HR and identity-verification methods.
- Electronic mail – Major firm or private e-mail handle, helpful for phishing or social engineering assaults.
- Supervisor, HR contact, division, job code, division – Organisational particulars that reveal reporting constructions and firm hierarchy.
- Location and timezone – Worksite or regional info that may slender down the place an worker relies.
- Rent date – Signifies employment tenure and can assist craft convincing pretend HR or advantages messages.
- Enterprise telephone and fax – Direct contact traces
- Deal with (traces 1 and a pair of), metropolis, state, ZIP, nation – Full bodily handle info that may expose dwelling or workplace places.
- Matrix supervisor and proxy – Secondary supervisors or account delegates.
- Default locale and login methodology – Technical settings which may present how staff authenticate, reminiscent of single-sign-on or password methods.
- Evaluate frequency, final evaluation date, firm exit date, HR efficiency information and employment standing indicators.
- Project ID exterior – A singular quantity linking the worker to exterior distributors or contractors.
- Seating chart – Details about the bodily desk or workplace location, which may expose format and staffing particulars.
This information is now additionally on the market for $2 million.
The claims made by the Everest ransomware group add to a rising listing of high-profile assaults focusing on main corporations. Whether or not all of the stolen information is real stays unclear, but when confirmed, the affect might be severe for each staff and passengers. To date, AT&T and Air Arabia haven’t commented on the group’s claims.
