Cyber Incident Victim: City Council of Durango

The City Council of Durango in Biscay, Spain, experienced a severe cyberattack that began on or shortly before January 7, 2023, resulting in widespread operational disruption. Deputy Mayor Iker Urkiza publicly confirmed the attack had “completely paralyzed” municipal operations, with all council computers and corporate email accounts remaining deactivated since the weekend of January 7-8. The attack’s severity led officials to estimate system paralysis would persist for multiple weeks, indicating extensive compromise of critical infrastructure. Attackers delivered a ransom demand, though the city explicitly refused payment. Authorities reported the incident to the Basque Data Protection Agency and planned additional notification to Spain’s National Cryptological Center, reflecting compliance with national cybersecurity protocols. Technical containment measures were not detailed publicly, but the sustained deactivation of systems suggested ongoing forensic efforts and infrastructure rebuilding.

Citizens faced immediate practical consequences due to the prolonged outage, particularly regarding municipal deadlines for document submissions. Residents reported inability to file required paperwork through digital channels, generating complaints about the council’s failure to communicate deadline extensions despite the acknowledged service disruption. The paralysis hindered core administrative functions, though the specific mechanisms of the attack—whether ransomware, data exfiltration, or other malware—were not disclosed. No public statements addressed potential data compromise or provided restoration timelines beyond the “weeks” estimate. The incident remained under investigation by data protection authorities, with no attribution to specific threat actors disclosed in initial reports. Operational continuity challenges persisted as manual workarounds were not mentioned, leaving critical citizen services inaccessible through standard digital platforms.