Back

Spanish Police Arrest Doxer Leaking Sensitive Data of Government Employees

Severity: High (Score: 71.5)

Sources: Bleepingcomputer, Surinenglish, www.incibe.es, Feeds2.Feedburner

Published: 2026-06-01 · Updated: 2026-06-02

Keywords: leaking, sensitive, data, arrested, state, national, spain

Severity indicators: sensitive data

Summary

The Spanish National Police arrested an individual for leaking sensitive personal data of employees from key state institutions, including the National Cybersecurity Institute (INCIBE). The leak posed significant national security risks, affecting personnel from various organizations such as the National Police and the Civil Guard. The investigation revealed that the leaked data was aggregated from older breaches and OSINT tools, with some records containing outdated information. Authorities conducted a raid on the suspect's residence in Granada, seizing computers and electronic devices for forensic analysis. The police emphasized the urgent need to address the growing threat of doxing and mass data leaks targeting public officials. Complaints to the Spanish data protection agency have surged, indicating rising concerns over data privacy. The investigation remains ongoing, with potential for further arrests. Key Points: • A suspect was arrested for leaking sensitive data of government employees, including those from INCIBE. • The leaked information posed national security risks and was sourced from previous data breaches. • The investigation is ongoing, with police analyzing seized devices for evidence of additional participants.

Detailed Analysis

**Impact** Personal data of current and former employees from multiple critical Spanish state institutions were exposed, including INCIBE, the National Police, the Civil Guard, the State Attorney General’s Office, the National Security Council, the Ministry of Finance, and the Tax Agency. The leak affected hundreds of individuals, with some data being outdated but still posing risks of intimidation, extortion, and targeted attacks. The exposure created immediate risks to the safety and operational integrity of both personnel and the institutions involved, with increased complaints to the Spanish data protection agency reported. **Technical Details** The data leak resulted from doxing practices involving aggregation and correlation of previously compromised data from older breaches, credential dumps, and OSINT sources rather than direct system breaches. The suspect was identified and arrested in Granada, with seized electronic devices currently under forensic analysis. The threat actor, known as ‘Police-ESP-Doxed,’ published the data on platforms including BreachForum and Doxbin. No malware, CVEs, or direct network intrusion methods were reported. **Recommended Response** Affected individuals should immediately change any exposed or potentially reused passwords and enable multi-factor authentication (MFA) on all accounts. Organizations must monitor for phishing, vishing, and smishing campaigns leveraging the leaked data. Evidence of unauthorized data publication should be reported to law enforcement and content removal requested from hosting platforms. Defenders should monitor for further data leak activity and await forensic results for additional IOCs or threat actor infrastructure.

Source articles (4)

  • Hacker arrested in Granada after leaking personal data of state officials — Surinenglish · 2026-06-01
    Spain’s National Police have arrested a suspect accused of publishing the personal data of staff across some of the country’s most sensitive state institutions. The targeted organisations include INCI…
  • Spain arrests doxer leaking sensitive data of govt employees — Bleepingcomputer · 2026-06-01
    The Spanish National Police has arrested an individual for leaking sensitive information related to members of various key state organizations, including the National Cybersecurity Institute (INCIBE).…
  • INCIBE posted in February — www.incibe.es · 2026-06-01
    INCIBE ha tenido conocimiento de publicaciones en plataformas de doxing que exponen datos personales atribuidos a antiguos y actuales empleados. Un aspecto clave para interpretar correctamente estos c…
  • Sensitive government personnel data posted online, Spanish police arrest suspect — Feeds2.Feedburner · 2026-06-02
    The Spanish National Police arrested a man in Granada for allegedly leaking personal data belonging to members of several sensitive state institutions. According to police, the suspect published the i…

Timeline

  • 2026-05-27 — Suspect arrested in Granada: Spanish police arrested an individual responsible for leaking sensitive data from various state institutions, including INCIBE.
  • 2026-06-01 — INCIBE issues statement on doxing: INCIBE clarified that the exposure of personal data does not indicate a breach of their systems but rather targeted data collection.
  • 2026-06-01 — Data leak investigation launched: The investigation began after authorities detected mass dissemination of personal data, posing risks to affected individuals and institutions.
  • 2026-06-02 — Ongoing analysis of seized devices: Police are currently analyzing the seized electronic devices to uncover further evidence and potential accomplices in the data leak.

Related entities

  • Data Breach (Attack Type)
  • Phishing (Attack Type)
  • Civil Guard (Company)
  • Incibe (Company)
  • Ministry Of Finance (Company)
  • National Police (Company)
  • National Security Council (Company)
  • Public Prosecution Service (Company)
  • State Attorney General's Office (Company)
  • State Attorney General’s Office (Company)
  • State Attorney's Office (Company)
  • Tax Agency (Company)
  • Spain (Country)
  • Government (Industry)
  • T1566 - Phishing (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed