How did the suspect obtain the sensitive data?

The suspect aggregated data from older breaches, credential dumps, and open-source intelligence tools to compile and disseminate the sensitive information.

What measures can be taken to prevent such data leaks?

Implementing robust cybersecurity protocols, regular audits, employee training, and monitoring for unauthorized data access can help prevent such incidents.

Spain Arrests Minor for Leaking Sensitive Government Data

A minor in Granada was arrested for leaking sensitive data of government employees, highlighting the growing threat of doxing and the need for enhanced cybersecurity measures.

Published: June 2, 2026

Share this on:

Executive Summary

In May 2026, Spanish authorities arrested a minor in Granada for leaking sensitive personal data of members from critical state institutions, including the National Cybersecurity Institute (INCIBE), the State Attorney General's Office, the National Police, the Civil Guard, and the National Security Council. The individual disseminated this information online, posing significant national security risks. The arrest followed an urgent investigation initiated after the mass dissemination of this data was detected, leading to a search of the suspect's residence and the seizure of electronic devices for forensic analysis.

This incident underscores the growing threat of doxing, where personal information is maliciously published online, targeting government officials and institutions. The case highlights the need for robust cybersecurity measures and the importance of protecting sensitive data to prevent potential threats to national security.

Why This Matters Now

The arrest highlights the escalating threat of doxing against government officials, emphasizing the urgent need for enhanced cybersecurity measures to protect sensitive data and maintain national security.

Attack Path Analysis

The attacker initially gathered publicly available information on government employees, then escalated access by exploiting weak authentication mechanisms. They moved laterally to access sensitive data repositories, established command and control channels to exfiltrate data, and ultimately leaked the information, impacting national security.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Medium

Lateral Movement

Medium

Command & Control

Medium

Exfiltration

High

Impact

High

Initial Compromise

Description

The attacker collected publicly available information on government employees to build a comprehensive profile.

Confidence:

High

MITRE ATT&CK® Techniques

Reconnaissance

T1589

Gather Victim Identity Information

Reconnaissance

T1592

Gather Victim Host Information

Reconnaissance

T1595

Active Scanning

Initial Access

T1078

Valid Accounts

Exfiltration

T1567

Exfiltration Over Web Service

Credential Access

T1110

Brute Force

Command and Control

T1090

Proxy

Defense Evasion

T1036

Masquerading

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

NIST SP 800-53 – Account Management

Control ID: AC-2

The incident involved unauthorized access to sensitive data, indicating deficiencies in account management and access controls.

PCI DSS 4.0 – User Identification and Authentication

Control ID: 8.2.1

The breach suggests weaknesses in user authentication mechanisms, potentially violating requirements for secure user identification.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The exposure of sensitive government employee data indicates a failure to implement and maintain an effective cybersecurity policy as mandated.

DORA – ICT Risk Management Framework

Control ID: Article 5

The incident highlights inadequate ICT risk management practices, leading to unauthorized data disclosure.

NIS2 Directive – Security Requirements

Control ID: Article 21

The breach demonstrates non-compliance with security requirements for network and information systems, affecting critical entities.

CISA ZTMM 2.0 – Identity and Access Management

Control ID: 3.1

The unauthorized data access suggests lapses in identity verification and access management controls.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Government Administration

Direct target of doxing attack exposing sensitive employee data from National Police, Civil Guard, and security agencies, requiring enhanced egress security and threat detection capabilities.

Law Enforcement

Personnel data from Spanish National Police and Civil Guard leaked, creating operational security risks and requiring zero trust segmentation and encrypted traffic protection measures.

Judiciary

Hundreds of Spanish judges and prosecutors had personal data published on Doxbin, necessitating multicloud visibility controls and anomaly detection for ongoing threat monitoring.

Computer/Network Security

INCIBE cybersecurity institute targeted in coordinated doxing campaign, highlighting need for enhanced data exfiltration prevention and secure hybrid connectivity for critical infrastructure protection.

Sources

Spain arrests doxer leaking sensitive data of govt employeeshttps://www.bleepingcomputer.com/news/security/spain-arrests-doxer-leaking-sensitive-data-of-govt-employees/
Verified

La Policía Nacional detiene a una persona por la filtración masiva de datos personales de miembros de instituciones sensibles del Estadohttps://policia.es/_es/comunicacion_prensa_detalle.php?ID=16895

Verified

No, INCIBE no ha sido víctima de un ciberataque: qué es el doxing y cómo INCIBE se ha visto afectadohttps://www.incibe.es/ciudadania/blog/no-incibe-no-ha-sido-victima-de-un-ciberataque-que-es-el-doxing-y-como-incibe-se-ha

Verified

Frequently Asked Questions

Doxing is the act of publicly revealing previously private personal information about an individual or organization, typically via the internet, without their consent.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the attacker's ability to move laterally and exfiltrate sensitive data by enforcing strict segmentation and controlled egress policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: While CNSF primarily focuses on internal network security, its comprehensive visibility could potentially identify unusual access patterns, thereby limiting the attacker's ability to exploit weak authentication mechanisms.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Zero Trust Segmentation would likely limit the attacker's ability to escalate privileges by enforcing strict access controls, thereby reducing the scope of unauthorized access.

Lateral Movement

Control: East-West Traffic Security

Mitigation: East-West Traffic Security would likely constrain the attacker's lateral movement by monitoring and controlling internal traffic, thereby reducing the reachability of sensitive data repositories.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: Multicloud Visibility & Control would likely detect and limit the establishment of covert channels by providing comprehensive monitoring across cloud environments, thereby reducing the attacker's ability to exfiltrate data.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Egress Security & Policy Enforcement would likely limit data exfiltration by enforcing strict outbound traffic policies, thereby reducing the attacker's ability to transfer sensitive data externally.

Impact (Mitigations)

While CNSF controls would likely reduce the attacker's ability to exfiltrate data, any residual exposure could still lead to public data leaks, albeit with a significantly reduced scope and impact.

Impact at a Glance

Affected Business Functions

National Security Operations
Law Enforcement Activities
Cybersecurity Coordination
Judicial Processes

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

Personal data of members from the State Attorney General's Office, INCIBE, National Police, Civil Guard, and National Security Council.

Recommended Actions

• Implement Multi-Factor Authentication (MFA) to strengthen authentication mechanisms.
• Deploy Zero Trust Segmentation to limit lateral movement within the network.
• Utilize East-West Traffic Security to monitor and control internal traffic flows.
• Establish Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
• Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Spain Arrests Minor for Leaking Sensitive Government Data

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Gather Victim Identity Information

Gather Victim Host Information

Active Scanning

Valid Accounts

Exfiltration Over Web Service

Brute Force

Proxy

Masquerading

Potential Compliance Exposure

NIST SP 800-53 – Account Management

PCI DSS 4.0 – User Identification and Authentication

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

NIS2 Directive – Security Requirements

CISA ZTMM 2.0 – Identity and Access Management

Sector Implications

Government Administration

Law Enforcement

Judiciary

Computer/Network Security

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads