Authorities in Spain have arrested a 19-year-old resident of Igualada (Barcelona) for illegally accessing numerous companies and stealing the personal data of thousands, potentially millions, of Spanish citizens. The theft of private information has become a widespread issue, often thought to originate from remote locations. However, this case highlights that it can also occur locally. Investigators have revealed that the suspect has been implicated in stealing data from multiple Spanish and one French organization. “I've encountered personal data in six databases, but I'm not surprised; I know what's out there,” noted one investigator involved in the case.
1. Who Buys Stolen Data?
Stolen data is often sold to the highest bidder, and information about Spanish citizens is particularly valuable due to its origin from a Western country. Surprisingly, “the buyer is usually Spanish as well,” state research sources. The most common use of this stolen data is for scams, such as those conducted via SMS. However, it is also employed for targeted advertising campaigns. “We have identified that personal profiling is increasingly common and more costly,” added a police source, elaborating that such profiling includes details such as residential information, income, and individual habits. Sophisticated software compiles data from various sources to acquire comprehensive profiles on potential targets.
“The leaks are typically utilized to gather as much information as possible about victims,” stated Sergio Pastrana, a Computer Science professor at Carlos III University in Madrid. This wealth of information is crucial for conducting advanced social engineering attacks, where attackers tailor their approaches based on the stolen data. While there are rumors that competing companies might use these illegal databases, police sources label this as “a myth,” asserting that acquiring such data can assist in understanding competitors' clients and crafting counter-offers.
Local buyers of these databases also include cyber threat intelligence firms that aim to determine if their clients have been impacted by data breaches, including banks searching for stolen credit cards. According to Guillermo Suárez-Tangil, a researcher at the Imdea Networks Institute in Madrid, companies may directly benefit economically by persuading users to switch phone providers. Evidence exists that companies do access competitor data: “I have personally received calls from my mobile operator. They knew my name, my company, and my phone number, presumably due to a profile made from stolen data,” he explained.
2. Who Are the Hackers?
The suspect from Igualada reportedly “bored” himself during computer science vocational training by engaging in theft. Authorities have encountered several young individuals with similar profiles, noting that “at least four or five others have already been arrested in Spain.” Many of these hackers start exploring the internet at a young age, developing their skills by participating in forums and sharing scripts for exploiting vulnerabilities. “They sometimes collaborate to execute attacks,” investigations revealed.
Competition among young hackers can be fierce, with some proudly displaying their exploits on social media. “One individual, after his arrest, shared the information on Instagram, almost as if to say, ‘I've made it; I've got an arrest record,'” a police source reported.
3. Why Do They Steal Data?
Financial gain is the most apparent motivation behind these thefts. “It's very profitable. We've seen cold wallets containing millions of euros,” authorities disclosed. The largest identified case involved around five million euros, although this figure results from cumulative efforts rather than a single transaction. “Stolen databases can command high prices, but costs are usually discussed privately in forums,” Suárez-Tangil noted.
The penalties for these infractions are relatively low, which encourages the behavior, according to law enforcement. Crimes related to data theft, computer damage, and privacy violations carry penalties of only two to four years. Furthermore, attackers often operate during off-peak hours, such as Friday evenings or weekends, to avoid detection from companies.
4. What Can Users Do?
“We need to raise awareness about not sharing personal data with just any company,” emphasized one operation leader. “Be cautious with passwords—many individuals reuse work passwords across multiple platforms like Netflix and gyms.” Companies must enhance their cybersecurity defenses, recognizing that vulnerabilities can arise from older branches or outdated systems, sometimes a single weak link can lead to broader breaches.
