Skip to content

Incidents in country:

Spain

7 incidents catalogued

Data breachContained

Telefónica Hellcat infostealer-to-Jira breach (Spain, 2025)

Infostealer malware on the endpoints of 15+ Telefónica employees gave the Hellcat ransomware group credentials into the company's internal Jira ticketing system. Social-engineering escalated the access to SSH. The group did not extort — it publicly published 2.3 GB including 24,000 employee emails, 470,000 internal Jira tickets, and 5,000 internal documents.

Victim
Telefónica
Records
500.0K
Credential stuffingContained

Snowflake customer-account credential-stuffing campaign (UNC5537, 2024)

A threat cluster tracked as UNC5537 / ShinyHunters used credentials harvested by infostealer malware to log into ~160 Snowflake customer tenants that lacked MFA. Victims included AT&T, Ticketmaster, Santander, LendingTree, Advance Auto Parts, Neiman Marcus, and Bausch Health. Ticketmaster alone exposed data for ~560 million users.

Victim
Snowflake customer tenants (~160 organisations: AT&T, Ticketmaster, Santander, LendingTree, Advance Auto Parts, Neiman Marcus, Bausch Health, et al.)
Records
560.0M
Data breachResolved

Phone House España data breach (2021)

In April 2021, the Spanish retailer Phone House allegedly suffered a ransomware attack that also exposed significant volumes of customer data. Attributed to the Babuk ransomware, a collection of data alleged to be a subset of a larger corpus was posted to a dark web site and contained 5.2M email…

Victim
Phone House España
Records
5.2M
RansomwareResolved

Phone House Spain ransomware breach

The Babuk ransomware gang breached Spanish mobile retailer The Phone House and leaked roughly 100 GB of customer data — names, ID numbers, bank details and contact information on up to 3 million people — after the company refused to pay.

Victim
The Phone House España
Loss
$7.0M
Records
3.0M
Data breachResolved

Air Europa payment-data breach

Spanish airline Air Europa exposed contact and full payment-card data — including CVV codes — on roughly 489,000 customers across 1.5 million records, and was fined €600,000 by the AEPD for weak security and a 41-day notification delay.

Victim
Air Europa
Loss
$648.0K
Records
1.5M