Back to Feed
PolicyJul 3, 2026

AEPD (Spain) - PS-00020-2025

Spain's AEPD fines Alkora S.A.U. €200,000 for insufficient security after ransomware breach.

Summary

Spain's AEPD has fined Alkora S.A.U., an insurance brokerage, €200,000 following a ransomware attack that exposed the personal data of approximately 40,000 individuals, including 75 minors. The authority found that Alkora had insufficient security measures in place and failed to conduct a Data Protection Impact Assessment (DPIA) despite knowing about extreme cybercrime risks. The breach resulted in data encryption and exfiltration, affecting confidentiality, availability, and integrity.

Full text

Help AEPD (Spain) - PS-00020-2025: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 10:20, 3 July 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators134 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 10:20, 3 July 2026 AEPD - PS-00020-2025 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 5(1)(f) GDPR Article 35 GDPR Article 58(2) GDPR Type: Investigation Outcome: Violation Found Started: Decided: Published: Fine: 200,000 EUR Parties: Alkora S.A.U. National Case Number/Name: PS-00020-2025 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: bms The DPA fined a controller €200,000 after a ransomware breach exposed data of around 40,000 people and found insufficient security measures and failure to carry out a DPIA. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Alkora, S.A., the controller, is an insurance brokerage that was victim of a ransomware attack. The controller notified the DPA of a personal data breach after a ransomware attack affected its servers, databases, email systems and employee devices. The controller first estimated that 25,000 persons were affected. It later stated that the incident had affected around 40,000 persons, including 75 minors. The incident affected confidentiality, availability and integrity. The attacker encrypted systems and exfiltrated between 3.5 and 4 TB of information from the document management server. The affected data included identification and contact data, ID numbers, dates of birth, financial and insurance data, bank account numbers, health data, employee data and access credentials. The controller also processed data relating to minors in accident claims. A data subject complained to the DPA after being informed that their personal data had been exposed. The data subject was concerned about identity theft and requested additional information from the controller. During the investigation, the DPA found that the controller had known that its IT systems faced an extreme cybercrime risk before the breach. The forensic report could not determine the initial entry point because the servers had been encrypted, but it showed that attackers could move laterally through the infrastructure, obtain privileged access, install tools, exfiltrate data and encrypt systems. The controller had carried out a risk analysis in 2019, but this document concluded that no DPIA was necessary. After the breach, a later analysis found that a DPIA was necessary for treatments involving health data and minors. The controller did not prove that it had carried out the required DPIA. Holding The DPA held that the controller violated Article 5(1)(f) GDPR. It considered that the controller had failed to ensure the integrity and confidentiality of the personal data under its responsibility. The DPA emphasised that the principle in Article 5(1)(f) GDPR is not limited to the existence of isolated security measures. Rather, the controller must implement adequate technical and organisational measures capable of ensuring that personal data is protected against unauthorised or unlawful processing, loss, destruction or damage. The DPA rejected the controller’s argument that the attack was an external criminal act that could not be attributed to it. The DPA found that the controller was aware of an extreme cyber risk and that its internal vulnerabilities and security posture allowed the attackers to move through the systems, access personal data and encrypt files. The DPA therefore considered that the controller’s measures were clearly insufficient. The DPA also held that the controller violated Article 35 GDPR. The controller processed high-risk categories of data, including health data and data concerning minors. In these circumstances, it should have carried out a DPIA before the processing. The DPA found that the controller’s 2019 risk analysis wrongly concluded that no high risk existed, while its later documentation acknowledged that a DPIA was necessary. The DPA proposed a fine of €150,000 for the infringement of Article 5(1)(f) GDPR and €100,000 for the infringement of Article 35 GDPR, totalling €250,000. The controller paid voluntarily without acknowledging liability, obtaining a 20% reduction under Spanish Administrative Law (39/2015). The final payable amount was therefore €200,000. The DPA also ordered the controller, under Article 58(2)(d) GDPR, to prove within three months from the enforceability of the decision that it had carried out the mandatory DPIA required under Article 35 GDPR. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. File No.: EXP202411980 RESOLUTION TERMINATING THE PROCEEDINGS DUE TO ACKNOWLEDGMENT OF LIABILITY AND VOLUNTARY PAYMENT From the proceedings initiated by the Spanish Data Protection Agency and based on the following: BACKGROUND FIRST: On October 22, 2025, the Presidency of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against TBO WORKING SEGURIDAD, S.L. (hereinafter, TBO), by means of the agreement transcribed below: << File No.: EXP202411980 AGREEMENT TO INITIATE SANCTIONING PROCEEDINGS Based on the actions taken by the Spanish Data Protection Agency, and on the following FACTS FIRST: On July 30, 2024, a complaint was filed with the Spanish Data Protection Agency. The complaint is directed against the party identified as TBO WORKING SEGURIDAD, S.L., with Tax Identification Number B55500185 (hereinafter, the respondent), for the installation of a video surveillance system located at ***ADDRESS.1, there being indications of a possible breach of the provisions of current data protection regulations. The grounds for the claim are as follows: “The defendant (a company whose administrator is her husband) has four security cameras on the exterior facade overlooking the street, four cameras on the first-floor landing, and two in the hallways inside the coworking offices (one with a view into the bathroom). The defendant is identified as responsible in all of them. The claimant rented a coworking office on the same floor as the defendant's branch from February 2021 to May 2024. From March to September 2023, the company captured more than 400 images of her and her children under 14 years of age. These images were submitted as evidence in the divorce proceedings on February 1, 2024, as evidence of alleged work activity. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 2/12 The following documentation is attached: - Judgment for domestic abuse, images submitted to the Divorce Proceedings, security camera footage above the door of an office focusing on the entrance to the restrooms, request for the deletion of all images of her and her children, right of access and response from the respondent. SECOND: In accordance with Article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the aforementioned complaint was forwarded to the respondent, so that they could analyze it and inform this Agency within one month of the actions taken to comply with the requirements established in the data protection regulations. The forwarding was carried out in accordance with the rules established in the Law. 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was duly received, as evidenced by the acknowledgment of receipt contained in the file. THIRD: On September 23, 2024, a document was received from the entity ag

Indicators of Compromise

  • malware — ransomware

Entities

AEPD (vendor)Alkora S.A.U. (product)