Cyber Incident Victim: Mossos d'Esquadra
Date:
Feb 2024
Location:
Spain
Summary
Hackers breached a server of the Catalan police force, accessing and publishing critical personal data including officers' full names, identification numbers, and phone numbers from a document detailing personnel on duty during a specific night shift at a prison facility. The stolen information appeared in a restricted Telegram channel, followed by a second leak of similar data from the same compromised corporate mailbox, affecting additional agents. Authorities activated an emergency assessment commission, notified impacted personnel, blocked and reset non-nominal corporate mailboxes, and initiated an investigation coordinated with the Catalan Cybersecurity Agency to determine the intrusion method and scope of compromised data. Investigators are examining potential motives, including possible ransom demands, while previous cyberattacks targeting the force's union were referenced as historical context.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 1, 2024, hackers breached a server belonging to the Mossos d'Esquadra, Catalonia’s police force, extracting critical personal data from personnel assigned to guard duty that night at the Roca del Vallès prison. The compromised document contained names, surnames, identification card numbers, and phone numbers of multiple officers and command staff across several units. Attackers published this information in a restricted but well-known Telegram channel frequented by hackers. Upon discovering the breach, the Mossos activated their Evaluation, Risk, and Protection Commission, led by the chief commissioner, to coordinate the response. Authorities notified approximately seventy affected officers and offered them support to file complaints through the Central Cybercrime Unit and the Data Protection Agency. As a preventive measure, the Telecommunications and Information Technology Center blocked non-nominal corporate email accounts, initiating password resets to mitigate further unauthorized access. The Central Cybercrime Unit assumed investigative control, collaborating with the Catalan Cybersecurity Agency to determine the intrusion method and scope. Investigators focused on identifying whether additional data beyond the February 1 guard roster—potentially stored on the compromised prison-area computer—had been exfiltrated but not yet disclosed. No ransom demands or explicit motives were confirmed at this stage. Police leadership convened an emergency meeting with unions to brief them on the incident and countermeasures.
A second data leak emerged shortly afterward, involving a similar document with personal details of seventy additional officers, extracted from the same breached corporate mailbox and disseminated via Telegram. Investigators later identified a second compromised mailbox containing data on two individuals, expanding the scope of affected personnel. The Mossos notified all newly impacted officers and reiterated legal support options. This incident echoed a 2016 cyberattack against the Mossos d'Esquadra Union (SME), where hackers accessed and publicly released names, professional numbers, national IDs, bank details, phone numbers, and home addresses of approximately 5,500 union-affiliated officers over eight hours via social media. Hacker Phineas Fischer claimed responsibility days later, releasing a video detailing the intrusion method. Catalan police investigators traced the attack to two suspects who accessed union systems via proxy servers, leading to their arrests. The recurrence of data breaches underscored persistent vulnerabilities in Mossos d'Esquadra’s digital infrastructure, though no technical or procedural links between the 2016 and 2024 incidents were confirmed in the available reporting.