May has been a terrible month for Spanish cybersecurity. In a matter of days, Banco Santander, Telefónica, Iberdrola, the DGT and the Complutense University have fallen victims to cyberattacks or are investigating alleged security breaches. Added to these is an international breach that would also have affected Spanish clients: that suffered by Ticketmaster, which would include the records of more than 500 million users of its ticket platform around the world.

All of them have been attacks to steal the personal data of citizens stored in their systems. Companies such as Banco Santander or Iberdrola have tried to downplay the importance of the breaches, claiming that among the stolen information there is only “contact data” and “no passwords or financial information.” However, cybersecurity specialists reject this call for calm and remember that these thefts put the affected citizens in the target.

“They may not have my bank details, but they have my ID, they know that I belong to Santander or that I am registered with Telefónica, or that I am an Iberdrola customer. With that, they already have enough data to create a super-targeted scam attempt in which they impersonate these companies to deceive you,” warns Rafael López, cybersecurity expert at the firm Perception Point.

“We must keep in mind that this is no longer done by a guy breaking stones and preparing the emails by hand,” continues the specialist: “This type of data can now be entered into artificial intelligence systems that prepare the phishing as if it were a churrera and they leave it perfect and personalized. That’s why it’s so dangerous. Now what we need to warn about is that an unprecedented campaign of scam attempts is coming.”

Some of the most successful digital fraud campaigns, especially those directed against ordinary citizens, are not based on breaking the defenses of their devices using computer brute force. On the contrary, what they are trying to do is get the victim to open the door for them. Something that they can achieve with a single piece of personal information, such as knowing that their target is a father or mother, or what their bank is.

Everyone is vulnerable

To this strategy, cybercriminals add a trick that can destroy even the most robust defense: the sense of urgency. This week, cybersecurity expert Marc Rivero, one of Spain’s leading malware and threat research specialists, told the Securiters podcast how he almost fell for phishing. “I received a ‘DGT alert’ message: you have an unpaid fine worth 35 euros that will double in 24 hours. You must pay it now.”

“The objective fact is that I am waiting to pay a fine. He caught me in the middle of a meeting. I did it super fast, I was busy…”, summarizes Rivero, who declares that he clicked on the fraudulent link and filled out the fields that the cybercriminals asked him to pay the supposed fine, until he realized that he could not identify himself. with certificate: “My goodness, I have been doing this for 15 years and I almost fell into a phishing…”.

The expert’s warning highlights that despite maintaining a critical spirit in digital communications, scammers can take advantage of any moment of distraction and a stroke of luck such as the fact that there is an unpaid fine (or personal data that falls into their hands ) can end in cyber scam.


Some of the companies affected by cyberattacks this week have excused themselves, claiming that these have not affected their systems but those of their suppliers. Both Telefónica and Iberdrola have pointed out that the thefts have been from third companies to which they had transferred the databases with their clients’ information for management.

A situation that, for specialists, focuses on the fact that these large companies delegated the databases to companies with less solid security measures. “That third company would have to assume the same protocols as the one that collects the data and if there is a leak, the responsibility should be assumed by both,” asks Rafael López, in reference to the possible fines from the Spanish Data Protection Agency ( AEPD).

“When there is a penalty, let them both pay. It is the only way for large companies to step up and demand the most from all their subcontractors,” continues the expert, who also asks the privacy regulator to be stricter when this type of breach occurs, which affects very little. the operations of companies but can involve thousands of scam attempts against their clients.

“If the body that has to sanction does it late and poorly, we will never stop seeing this type of breach,” he concludes.

Under the EU General Data Protection Regulation, privacy regulators can fine up to €20 million or 4% of a company’s annual turnover, whichever is higher. However, the Spanish Agency has never come close to those figures for leaks of personal information. Its highest sanction has been against Google (10 million euros in 2022) for its management of the right to be forgotten. The second, against Vodafone (8 million in 2021) for the lack of control in the sending of commercial communications.

The largest fine for a data breach imposed by the AEDP was precisely against Iberdrola and its subsidiary i-DE Redes Eléctricas Inteligentes (3 million euros for the first and 3.5 million for the second) after another serious cyber attack that the company electricity suffered in 2022.

In the case of public institutions such as the DGT or the Complutense University, the privacy regulator cannot even fine them financially. Spanish law establishes that no sanction against a public entity can entail this type of sanction, but rather it must remain a “warning”.


Leave a Reply

Your email address will not be published. Required fields are marked *