Phone House Spain ransomware breach

On 8 April 2021, The Phone House España — the Spanish arm of the European mobile-phone retail chain (part of Dixons Carphone) — was struck by a ransomware attack carried out by the Babuk gang. When the company declined to pay, the attackers dumped roughly 100 GB of customer data online, in one of Spain's most consequential retail breaches.

What happened

Babuk, a ransomware-as-a-service operation that emerged in early 2021, encrypted Phone House systems and exfiltrated internal databases before deploying its locker. Following the now-standard double-extortion model, the group listed the company on its dark-web leak site on 11 April and started a public countdown demanding payment to prevent publication.

The Phone House refused. On 22 April, the attackers released the full trove. While Babuk boasted of data on 13 million customers, subsequent analysis — including by Spain's national CERT, INCIBE — concluded the genuinely affected population was closer to 3 million individuals, spanning current customers, former customers, employees and suppliers.

Impact

The leaked data included full names, national ID (DNI) numbers, home addresses, email addresses, phone numbers, nationalities, dates of birth and banking details, alongside device-related records such as IMEI codes and insurance policy information.
Because the dump was published in full, exposed individuals faced lasting risks of phishing, identity theft and SIM-swapping fraud — risks that cannot be revoked once data is public.
The breach quickly populated Have I Been Pwned and other monitoring services, allowing customers to confirm their exposure.

Regulatory aftermath

On 27 December 2023, Spain's data protection authority, the AEPD, fined The Phone House €6.5 million — one of the largest sanctions ever issued against a Spanish retailer. The penalty broke down into €4 million for violating GDPR Article 5.1(f) (integrity and confidentiality) and €2.5 million for breaching Article 32 (security of processing). Investigators found the company had relied on an insecure encryption algorithm and lacked adequate technical and organisational safeguards for the volume and sensitivity of personal data it held.

Why it matters

The Phone House case underscores that, under GDPR, refusing the ransom does not end the liability. Even when a victim correctly declines to pay criminals, regulators will examine whether the underlying security failures made the breach possible in the first place. For a retailer holding identity and banking data on millions of consumers, weak encryption and insufficient controls translated directly into a multi-million-euro fine — independent of, and additional to, the reputational damage of the public leak itself.

Timeline

April 8, 2021

The Phone House España is hit by a ransomware attack attributed to the Babuk group, which encrypts systems and exfiltrates customer databases.

April 11, 2021

Babuk publishes the company on its leak site and begins a countdown, demanding payment to prevent disclosure of the stolen data.

April 22, 2021

After the deadline passes without payment, the attackers publish roughly 100 GB of data online, claiming records on around 13 million customers.

April 23, 2021

Spanish media and INCIBE report the leak; the AEPD opens an investigation. Independent analysis pegs the genuinely affected population at around 3 million.

December 27, 2023

The AEPD fines The Phone House €6.5 million for inadequate security measures under GDPR Articles 5.1(f) and 32.

Sources

incibe.eshttps://www.incibe.es/en/incibe-cert/publications/cybersecurity-highlights/data-breach-would-affect-3-million-people

letslaw.eshttps://letslaw.es/en/the-phone-house-fine-spanish-aepd/

haveibeenpwned.comhttps://haveibeenpwned.com/Breach/PhoneHouse

euroweeklynews.comhttps://euroweeklynews.com/2021/04/23/phone-house-cyber-attack-could-see-data-from-13-million-people-exposed-online/

Related incidents

RansomwareResolvedMay 12, 2017

Telefónica WannaCry ransomware outbreak

On the day WannaCry erupted worldwide, the worm tore through the corporate network of Spanish telecom giant Telefónica, forcing the company to order thousands of staff at its Madrid headquarters to shut down their PCs.

Victim: Telefónica

RansomwareContainedMay 12, 2017

WannaCry ransomware worm

A North Korean ransomware worm that exploited the EternalBlue SMB vulnerability to spread to ~200,000 systems across 150 countries in 24 hours. Paralysed the U.K.'s NHS and crippled manufacturing globally.

Victim: ~200,000 organizations worldwide (UK NHS, Telefónica, Renault, Deutsche Bahn, Honda et al.)
Loss: $6.00B

RansomwareRansom paidMay 30, 2021

JBS Foods REvil ransomware

REvil affiliates encrypted the world's largest meat processor, shutting down beef and pork plants across the U.S., Canada, and Australia. JBS paid an $11 million ransom — one of the largest publicly-confirmed ransomware payments at the time.

Victim: JBS S.A. / JBS USA
Loss: $100.0M

RansomwareUnknownMay 8, 2026

Soprolux: banking documents and customer data released after a cyberattack

In May 2026, the BravoX ransomware group claimed a double-extortion attack on Soprolux, a French food distributor serving restaurants and professional clients, publishing banking documents, SEPA mandates, IBAN/RIB details and customer and supplier records to pressure the company.

Victim: Soprolux