Back to Feed
RansomwareJul 8, 2026

AEPD (Spain) - PS-00020-2025

Spain's AEPD fines insurance broker €200K for ransomware breach and insufficient security.

Summary

Spain's AEPD has fined an insurance broker €200,000 following a ransomware attack that exposed the data of approximately 40,000 individuals. The agency found that the broker had insufficient security measures in place and failed to conduct a Data Protection Impact Assessment (DPIA), violating GDPR principles.

Full text

Help AEPD (Spain) - PS-00020-2025: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 14:29, 7 July 2026 view sourceMba (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators929 editsm Tag: Visual edit← Older edit Latest revision as of 08:14, 8 July 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators145 editsTag: Visual edit Line 65: Line 65: }}}} The DPA fined a controller €200,000 after a ransomware breach exposed data of around 40,000 people and found insufficient security measures and failure to carry out a DPIA.The DPA fined an insurance broker €200,000 after a ransomware attack exposed data of around 40,000 people. The DPA found that the broker implemented insufficient security measures and failed to carry out a DPIA. == English Summary ==== English Summary == Latest revision as of 08:14, 8 July 2026 AEPD - PS-00020-2025 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 5(1)(f) GDPR Article 35 GDPR Article 58(2) GDPR Type: Investigation Outcome: Violation Found Started: Decided: Published: 01.07.2026 Fine: 200,000 EUR Parties: Alkora S.A.U. National Case Number/Name: PS-00020-2025 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: bms The DPA fined an insurance broker €200,000 after a ransomware attack exposed data of around 40,000 people. The DPA found that the broker implemented insufficient security measures and failed to carry out a DPIA. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Alkora, S.A., the controller, is an insurance broker that was victim of a ransomware attack. The controller notified the DPA of a personal data breach after a ransomware attack affected its servers, databases, email systems and employee devices. The controller first estimated that 25,000 persons were affected. It later stated that the incident had affected around 40,000 persons, including 75 minors. The incident affected confidentiality, availability and integrity. The attacker encrypted systems and exfiltrated between 3.5 and 4 TB of information from the document management server. The affected data included identification and contact data, ID numbers, dates of birth, financial and insurance data, bank account numbers, health data, employee data and access credentials. The controller also processed data relating to minors in accident claims. A data subject complained to the DPA after being informed that their personal data had been exposed. The data subject was concerned about identity theft and requested additional information from the controller. During the investigation, the DPA found that the controller had known that its IT systems faced an extreme cybercrime risk before the breach. The forensic report could not determine the initial entry point because the servers had been encrypted, but it showed that attackers could move laterally through the infrastructure, obtain privileged access, install tools, exfiltrate data and encrypt systems. The controller had carried out a risk analysis in 2019, but this document concluded that no DPIA was necessary. After the breach, a later analysis found that a DPIA was necessary for treatments involving health data and minors. The controller did not prove that it had carried out the required DPIA. Holding The DPA held that the controller violated Article 5(1)(f) GDPR. It considered that the controller had failed to ensure the integrity and confidentiality of the personal data under its responsibility. The DPA emphasised that the principle in Article 5(1)(f) GDPR is not limited to the existence of isolated security measures. Rather, the controller must implement adequate technical and organisational measures capable of ensuring that personal data is protected against unauthorised or unlawful processing, loss, destruction or damage. The DPA rejected the controller’s argument that the attack was an external criminal act that could not be attributed to it. The DPA found that the controller was aware of an extreme cyber risk and that its internal vulnerabilities and security posture allowed the attackers to move through the systems, access personal data and encrypt files. The DPA therefore considered that the controller’s measures were clearly insufficient. The DPA also held that the controller violated Article 35 GDPR. The controller processed high-risk categories of data, including health data and data concerning minors. In these circumstances, it should have carried out a DPIA before the processing. The DPA found that the controller’s 2019 risk analysis wrongly concluded that no high risk existed, while its later documentation acknowledged that a DPIA was necessary. The DPA proposed a fine of €150,000 for the infringement of Article 5(1)(f) GDPR and €100,000 for the infringement of Article 35 GDPR, totalling €250,000. The controller paid voluntarily without acknowledging liability, obtaining a 20% reduction under Spanish Administrative Law (39/2015). The final payable amount was therefore €200,000. The DPA also ordered the controller, under Article 58(2)(d) GDPR, to prove within three months from the enforceability of the decision that it had carried out the mandatory DPIA required under Article 35 GDPR. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. Case No.: EXP202400624 DECISION TO TERMINATE THE PROCEEDINGS DUE TO VOLUNTARY PAYMENT Regarding the proceedings conducted by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: On April 15, 2025, the Presidency of the Spanish Data Protection Agency decided to initiate disciplinary proceedings against ALKORA EBS CORREDURIA DE SEGUROS Y REASEGUROS SAU (hereinafter, ALKORA). Following notification of the decision to initiate proceedings and after analyzing the arguments submitted, a proposed resolution was issued on February 16, 2026, the text of which is transcribed below: << Case No.: EXP202400624 PROPOSED RESOLUTION ON DISCIPLINARY PROCEEDINGS Regarding the proceedings conducted by the Spanish Data Protection Agency and based on the following: Contents BACKGROUND..................................................................................................................3 FIRST: On April 22, 2023, this Agency was notified of a data breach involving ALKORA EBS CORREDURIA DE SEGUROS Y REASEGUROS SAU, with Tax ID No. A01051747 (hereinafter, ALKORA) .............................................................................................3 SECOND: On December 27, 2023, a complaint was filed with the Spanish Data Protection Agency regarding the previously reported data breach of personal data...........5 THIRD: Pursuant to Article 65.4 of Organic Law 3/2018, of December 5, on Data Protection and the Guarantee of Digital Rights (hereinafter LOPDGDD), said complaint was forwarded to ALKORA so that it could analyze it and inform this Agency, within one month, of the actions taken to comply with the requirements set forth in data protection regulations .......................................................................................................................................7 FOURTH: On March 27, 2024, in accordance with Article 65 of the LOPDGDD, the complaint was accepted for processing ....................................................................................20 6 Jorge Juan Street, 28001 – Madrid2/76 www.aepd.es sedeaepd.gob.es FIFTH: The Subdirectorate General for Data Inspection conducted preliminary investigative proceedings to clarify the facts in question, pursuant t

Entities

AEPD (vendor)ransomware (product)Alkora S.A.U. (product)