A leak tied to Air Miles España, operator of the Travel Club loyalty program, exposes 5,120,597 records, including names, emails, usernames, and dates of birth (leaksear.ch metadata). The leak-source metadata attributes the dataset to Everest ransomware and lists November 25, 2025 as the breach date, consistent with public reporting that Everest claimed an intrusion against Air Miles España in late November 2025 (cybernews.com, www.scworld.com).
What happened
Air Miles España describes itself as the company that manages Travel Club and Inloyalty, with Repsol, Iberia, and Eroski as shareholders. The company says Travel Club has more than 6.8 million members and more than 10,000 associated establishments (www.travelclub.es).
Cybernews reported on November 25, 2025 that the Everest ransomware group listed Air Miles España on its leak portal and claimed to have exfiltrated 131GB of data, including millions of customer records. Cybernews also reported at the time that Everest’s claim had not been publicly confirmed by the company, so the incident should be treated as attacker-attributed public reporting unless Air Miles España issues confirmation (cybernews.com).
SC Media separately summarized the incident as an Everest claim against Air Miles España, the operator of Spain’s Travel Club rewards program, with potentially exposed personal details and loyalty account information. Breachsense also lists travelclub.es as the victim, Everest as the threat actor, November 25, 2025 as the discovery date, and 131GB as the leak size (www.scworld.com, www.breachsense.com).
What data was exposed
The leaksear.ch index for this leak contains directly searchable names, email addresses, usernames, and dates of birth (leaksear.ch metadata).
Additional stored fields in the indexed records include membership and program metadata, such as affiliation channel, signup dates, email signup dates, physical cancellation dates, email blocking dates, account or member status indicators, gender or sex, program flags, an email-block flag, and an internal loyalty household or member identifier (leaksear.ch metadata). These additional fields are stored with records but are not listed as searchable pivots on leaksear.ch.
Why this matters
Names, emails, usernames, and dates of birth give attackers enough context to craft convincing Travel Club, retail, airline, or fuel-program phishing lures. Dates of birth can also increase identity-verification and account-recovery risk when organizations use them as weak knowledge checks.
For security teams, the loyalty-program context matters because exposed account lifecycle and program metadata can help attackers distinguish active members from inactive or blocked accounts. Individuals who used Travel Club should check whether their data appears in this leak and treat unexpected loyalty-point, password-reset, or partner-promotion messages with caution.
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include date of birth, email, name, and username.