Cyber Incident Victim: Frigoríficos Bandeira S.L.

On August 28, 2022, Frigoríficos Bandeira S.L. detected a security breach in its information systems that compromised data availability and confidentiality. The incident originated from a phishing attack that delivered malware, resulting in the encryption of files and information stored on the company’s servers. Attackers gained access through these methods, specifically targeting stored data, which included basic personal details, national identification numbers (DNI/NIE), financial information, payment method data, contact information, and access credentials. The company identified that the breach could affect customers, suppliers, and employees but assessed the potential consequences as low severity after evaluation. The malware’s primary action involved encrypting files on the affected server and Network Attached Storage (NAS) systems, disrupting normal operations. No evidence suggested data exfiltration beyond the encryption activity. The intrusion was confined to internal systems accessible via external user accounts, though the exact duration of unauthorized access prior to detection was not disclosed. Frigoríficos Bandeira did not specify the number of affected individuals or the precise timeframe of the attack but confirmed the compromise of server and NAS storage.

In response, Frigoríficos Bandeira implemented immediate containment measures, including blocking all externally accessible user accounts to isolate compromised systems. The company formatted the operating system of the affected equipment and performed a full format of the NAS to remove malicious artifacts. Security measures were reviewed and reinforced across IT infrastructure to prevent recurrence. Pursuant to GDPR Article 33, the incident was reported to the Spanish Data Protection Agency (AEPD) on August 31, 2022, within the mandatory 72-hour notification window. No ransom demands or threat actor communications were mentioned in the disclosure. The company advised potentially impacted parties to scrutinize email senders, avoid opening attachments from unknown sources, and consult their financial institutions about additional security precautions. Frigoríficos Bandeira provided a contact phone number and email address for further inquiries but did not reference law enforcement involvement, third-party forensic assistance, or data restoration timelines. Operational disruptions were implied but not detailed beyond the system remediation steps undertaken.