Cyber Incident Victim: Council of Grenada
Date:
Dec 2022
Location:
Spain
Summary
A Spanish provincial council experienced a data breach when hacktivist group GhostSec accessed and sold a database containing approximately 7 GB of sensitive information, including personal details, work-related data, and credentials with passwords from multiple institutional subdomains. The group initially listed the database for $450, later reducing the price before confirming a sale to an undisclosed buyer; the council asserted they addressed vulnerabilities and invalidated compromised accounts, although the attackers claimed SQL injection as the method without any direct communication between the parties involved.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 29, 2022, the hacktivist group GhostSec listed a database allegedly containing approximately 7 GB of data from the Council of Granada (Diputación de Granada - dipgra.es) for sale at $450 on their channels. The Council, a public entity providing administrative and technical support to municipalities in Granada province, Spain, had its dipgra.es domain targeted. GhostSec provided a sample dataset as proof of possession, which included 17 folders with information tied to subdomains and affiliated institutions such as campus_social (a subdomain), Cemci (Center for Municipal Studies and International Cooperation), and pmd (Granada Sports Council). The sample contained personal and work-related information on individuals, along with usernames and passwords stored in several files. GhostSec attributed their access to an SQL injection (SQLi) vulnerability, though the Council did not publicly confirm this attack vector.
The initial listing received limited attention until late January 2023, when discussions on Twitter and a paywalled article by IDEAL.es highlighted the incident. The Council reportedly downplayed the breach, stating protocols had been activated and characterizing it as minor. GhostSec relisted the database on their Telegram channel on February 11, maintaining the $450 price, but reduced it to $250 by February 16. The listing was later removed, with GhostSec informing DataBreaches.net that the data had been sold to an undisclosed buyer. DataBreaches.net independently verified the sample’s contents and contacted the Council on February 15 and March 2 regarding exposed credentials. The Council’s press director, Amina Nasser Eddin, stated vulnerabilities had been “detected and resolved” and claimed affected active accounts were disabled and renewed, while older accounts were no longer operational. GhostSec asserted the Council never contacted them during the sale period, and the full dataset—including passwords not disclosed in the sample—remains with the purchaser. The group, historically associated with operations against pro-ISIS entities and #OpIran, has fluctuating affiliations with Anonymous but maintained distinct member identities. The Council did not clarify whether SQLi vulnerabilities were fully mitigated or confirm the total scope of compromised data.