Cyber Incident Victim: Ajuntament de Caldes de Montbui
Date:
Apr 2022
Location:
Spain
Summary
A cyberattack targeted the municipal administration of Caldes de Montbui, Catalonia, disrupting all digital services and forcing citizen transactions to be conducted in person. Attackers demanded a ransom to restore access, but the municipality refused payment, stating it would not negotiate with those responsible. The incident was reported to regional police and cybersecurity authorities. Digital systems remained intentionally locked down as a precaution during recovery efforts, with services to be restored only after ensuring secure operational conditions. The attack was financially motivated, though no data compromise specifics were disclosed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The cyberattack on Caldes de Montbui's municipal government began in the early hours of Saturday, April 29, 2022, disrupting all digital administrative services. Attackers compromised the town hall's systems, rendering online citizen services inoperable and forcing residents to conduct transactions exclusively through in-person channels. The incident was identified when digital administration functions failed, though the specific detection method wasn't disclosed. By April 30, attackers had issued a ransom demand in exchange for restoring access to the encrypted or disabled systems, explicitly tying payment to service restoration. Municipal operations remained severely limited, with no digital services available for essential citizen transactions.
Mayor Isidre Pineda publicly confirmed the attack's financial motivation but stated the municipality would neither negotiate with attackers nor pay any ransom. The town hall formally reported the incident to Catalonia's Mossos d'Esquadra police force and the Spanish Cybersecurity Agency for investigation. As an immediate containment measure, officials maintained a complete lockdown of all compromised digital systems to prevent further attacker access or data exfiltration. Restoration efforts were delayed pending security guarantees, with full system rebuilding required before safe reactivation. The prolonged outage continued indefinitely while authorities worked to establish secure recovery protocols, prioritizing system integrity over rapid service resumption.