Cyber Incident Victim: Globalcaja
Date:
May 2023
Location:
Spain
Summary
The Spanish financial institution Globalcaja was hit by a ransomware attack attributed to the Play group, which claimed to have stolen confidential data including client and employee documents, passports, and contracts. The bank confirmed the incident affected several local office computers but stated its transactional systems, client accounts, electronic banking, and ATMs remained operational. As a precaution, the bank disabled some workstations and temporarily limited certain operations while it worked to normalize the situation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 31, 2023, the Spanish financial institution Globalcaja registered a cyber incident. The attack was identified as involving a ransomware virus that targeted some local computer equipment. The bank, based in Albacete, Spain, is a major lender with more than 300 offices across the country, approximately 1,000 employees, and it manages over $4.6 billion in consumer loans while serving nearly half a million customers.
The Play ransomware group publicly claimed responsibility for the attack on or around June 2, 2023. The group stated they had stolen an undisclosed quantity of confidential data. Their claims included possessing private and personal confidential information, client and employee documents, passports, and contracts. The group added Globalcaja to their victim list on a dark web site, a common practice for ransomware operators to pressure victims into paying a ransom.
In response to the incident, Globalcaja activated its pre-established security protocols immediately upon detection. As a precautionary measure, this response included the disabling of specific office workstations to contain the threat. This action temporarily limited the performance of some operational tasks within the affected local offices. The bank’s official statement, published on June 2, 2023, confirmed the ransomware attack and detailed these initial containment steps. The primary transactional systems of the entity were not affected by the attack. Client accounts and agreements were not compromised, allowing the bank's electronic banking platform, known as Ruralvía, and its network of automatic teller machines (ATMs) to continue operating with total normality. Customers could conduct their financial operations securely through online channels without interruption.
The bank’s public communication strategy focused on transparency and reassurance. Through its official Twitter account, Globalcaja issued a statement apologizing for any inconvenience caused and emphasized that prioritizing security was their main focus throughout the response. The company stated that its teams were working intensely to fully normalize the situation and were simultaneously conducting a thorough analysis of the incident to understand what occurred. The bank did not publicly respond to requests for comment regarding whether it would pay a ransom to the threat actors. Industry commentary noted that paying ransoms is discouraged as it funds further criminal activity and does not guarantee the return or deletion of stolen data.
The impact of the incident appeared to be contained to local office workstations, preventing a more widespread network infection. The swift disabling of affected systems limited the ransomware's propagation. The activation of security protocols was cited as a positive aspect of the bank's response, demonstrating a level of preparedness for such an event. The incident did not disrupt the core banking services or financial transactions for its customer base. The consequences of the data theft claimed by the Play group, however, remained a significant concern due to the highly sensitive nature of the information allegedly exfiltrated, which included personal identification documents.
The Play ransomware gang, identified as the perpetrators, first emerged in July 2022. According to cybersecurity researchers, the group initially targeted government entities in Latin America. Prior to the attack on Globalcaja, the group had drawn significant attention for a damaging attack on the City of Oakland, California, which required weeks of recovery efforts. The group has also claimed attacks on other municipalities, such as Lowell, Massachusetts, and several companies across Europe. The attack on a Spanish financial institution aligns with a broader trend of increasing high-profile ransomware attacks against the finance sector globally in 2023. Other notable incidents in the sector included an attack on Tri Counties Bank in the US by the BlackBasta group, a major data compromise at Australia's Latitude Financial, and significant ransom demands from the LockBit group following attacks on Fullerton India and Bank Syariah Indonesia.
The incident at Globalcaja also occurred within a context of rising ransomware attacks in Spain during 2023. Other recent incidents in the country included an attack that crippled a hospital in Barcelona and another that disrupted operations for a Spanish amusement park company. Financial institutions have long been attractive targets for cybercriminals due to the large volumes of sensitive data they manage and the critical services they provide. The potential for financial damage and reputational harm is significant when client information is targeted and threatened with public leakage. The Globalcaja incident underscores the ongoing cybersecurity challenges faced by the banking sector and the importance of having robust response protocols to limit operational disruption and maintain customer trust.