Cyber Incident Victim: Consejo General del Poder Judicial (CGPJ) / Punto Neutro Judicial (PNJ)

A cyberattack targeting Spain's General Council of the Judiciary (CGPJ) was detected in October 2022, impacting the Punto Neutro Judicial platform used for interagency data exchange. The breach exposed sensitive personal information belonging to approximately 500,000 taxpayers and 50,000 police officers through unauthorized access to systems operated by the Treasury Information Services and the General Police Directorate. While the attackers successfully compromised these government entities' data repositories, judicial records and court-related information remained unaffected according to official statements. The incident was publicly disclosed on November 8, 2022, nearly three weeks after initial detection, with the Spanish Data Protection Agency (AEPD) identified among the affected parties. The attack vector and duration of unauthorized access prior to detection were not specified in available disclosures.

The data exposure represented a significant compromise of citizen and law enforcement personnel information, though operational judicial systems avoided disruption. No evidence emerged suggesting manipulation or destruction of accessed records beyond exfiltration. Response actions focused on securing breached systems, with no details provided regarding containment procedures, forensic investigations, or coordination with law enforcement. The incident highlighted vulnerabilities in intergovernmental data sharing infrastructure, particularly the Punto Neutro Judicial platform's integration points with external agencies. Financial penalties or identity protection measures for affected individuals were not addressed in initial disclosures, while the AEPD's involvement as both victim and regulator introduced potential oversight implications.