David Brooks
What we know so far
On January 31, 2026, a cybercriminal under the alias HaciendaSec posted on a dark web forum claiming to have compromised Spain's Ministry of Finance (Ministerio de Hacienda) systems. The alert came through Hackmanac, an account specialized in monitoring data breaches.
I won't sugarcoat it: if the information is real, we're looking at the largest data breach in Spain's history.
The allegedly leaked data
According to the attacker, the database includes information on 47.3 million citizens:
| Data type | Associated risk |
|---|---|
| DNI/NIF (National ID) | Identity theft |
| Full names | Social engineering |
| Addresses | Mail fraud, burglary |
| Phone numbers | Vishing, SMS scams |
| Emails | Targeted phishing |
| Bank IBANs | Banking fraud |
| Tax information | Extortion, blackmail |
My verdict is clear: if this is confirmed, any Spanish citizen with a tax return is potentially exposed.
Is the 47.3 million figure credible?
According to Spain's National Statistics Institute, Spain has 49.4 million inhabitants as of October 2025. Of these, about 42 million are Spanish nationals.
The 47.3 million figure is technically plausible considering:
- Virtually the entire adult population
- Historical tax residents (deceased, emigrated)
- Foreigners with tax obligations in Spain
However, there are reasons to doubt. HaciendaSec has no prior track record of documented cyberattacks. The profile was created specifically for this announcement, reducing its credibility.
The official response from the Treasury
The Ministry of Finance has confirmed to several media outlets that it is "reviewing the situation to verify it." Sources from María Jesús Montero's department state they are analyzing the alleged cybercriminal's message.
Current status: neither confirmation nor denial.
If you ask me directly, this ambiguity is concerning. When institutions don't quickly deny something, there's usually something behind it.
Precedents: this has happened before
Spain is no stranger to government cyberattacks. The numbers speak for themselves:
| Date | Agency | Result |
|---|---|---|
| Oct 2022 | AEAT (Alcasec) | ✅ Confirmed - Hacker arrested |
| Oct 2025 | AEAT (Qilin) | ❌ Denied by AEAT |
| Nov 2024 | AEAT (Trinity) | ⚠️ External company affected |
| May 2024 | DGT (Traffic) | ✅ 34 million drivers |
| March 2021 | SEPE (Employment) | ✅ 710 offices paralyzed |
The most relevant case is Alcasec in 2022, where a Spanish hacker managed to steal data from 500,000 taxpayers from the Tax Agency. He was subsequently arrested.
In the alleged Trinity hack in 2024, the investigation revealed the attack was on an external company, not directly on the AEAT. This could be repeating.
What you should do right now
Regardless of whether the breach is confirmed or not, there are actions you should take today:
1. Enable two-factor authentication (2FA)
On all these services at minimum:
- Your online bank
- Primary email
- Cl@ve (identification system with Treasury)
- Any service linked to your ID
2. Monitor your bank accounts
Over the coming weeks, check daily for:
- Unauthorized transactions
- New direct debits
- Changes to your contact details
3. Be suspicious of communications citing your data
If you receive an SMS, email, or call that mentions your ID, address, or tax data to "verify" something, it's almost certainly fraud. The Treasury will never ask for sensitive data through these channels.
4. Consider a CIRBE alert
The CIRBE from the Bank of Spain lets you see which entities have checked your credit information. If someone tries to open credit in your name, you'll see it here.
5. Document everything
If you suffer any type of related fraud, you'll need:
- Screenshots
- Date and time of incidents
- Phone numbers or emails of attackers
- Police report
Official resources available
If you need help or information:
| Resource | Description |
|---|---|
| 017 | INCIBE Cybersecurity Help Line |
| AEPD | Spanish Data Protection Agency |
| GDPR Breach Tool | Tool to assess breach risks |
The Treasury's legal obligations
Under GDPR, if the breach is real:
- The Treasury has 72 hours to notify the AEPD
- If there's high risk to those affected, it must communicate directly to citizens
- It could face multi-million euro fines if it doesn't comply
In 2025, the AEPD received over 2,700 data breach notifications. If the Treasury doesn't notify and the breach turns out to be real, the legal consequences would be severe.
My analysis: is it real or a bluff?
After reviewing all available information, here's my honest assessment:
Factors supporting it being real:
- Spain has suffered multiple confirmed government cyberattacks
- The data volume (47.3M) is consistent with the tax population
- Hackmanac has a track record of alerting about real breaches
Factors against:
- HaciendaSec has no verifiable track record
- Profile created specifically for this announcement
- Precedent: Trinity in 2024 turned out to be an external company
My verdict: Probability of real breach 50-60%. The alleged volume is doubtful. But the risk to citizens is high if it turns out to be true.
The best strategy is to act as if it's real while waiting for official confirmation. Better safe than sorry.
Frequently asked questions
How do I know if my data is in the leak?
Currently there's no way to verify directly. Tools like HaveIBeenPwned could index the data if it's publicly leaked, but for now the database is only for sale on the dark web.
Should I change my ID?
It's not possible to change your Spanish ID except in exceptional cases of serious threat. What you can do is set up alerts and monitor any fraudulent use.
Can the Treasury be sued?
If the breach is confirmed and the Treasury didn't comply with adequate security measures, those affected could have the right to claim damages under GDPR. The AEPD could impose administrative sanctions.
How long until we know if it's real?
Investigations of this type usually take weeks or months. In the Trinity case (2024), AEAT took more than a month to clarify that the attack was on an external company.
What do I do if I receive a call mentioning my tax data?
Hang up immediately. Don't provide any additional information. The Treasury will never call to request sensitive data. Report the fraud attempt to 017.
Conclusion: act now, don't wait
Regardless of whether the breach is confirmed, the reality is that Spain is a frequent target of government cyberattacks. In 2025 alone, each organization in Spain suffered an average of 1,911 attacks weekly.
My direct recommendation:
- Today: Enable 2FA on bank and email
- This week: Check bank transactions daily
- This month: Consider identity monitoring services
Don't wait for the Treasury to confirm anything. By the time they do (if they do), your data could be selling to the highest bidder.
We'll update this article when there are official developments.
