Cyber Incident Victim: Empresa Provincial de Informática de Córdoba
Date:
Feb 2023
Location:
Spain
Summary
Cybercriminals executed a ransomware attack against a provincial tax management entity linked to the Córdoba government, encrypting data and demanding payment to prevent its release. The attackers later attempted extortion by threatening to publish stolen information, prompting the organization to involve law enforcement. Due to pre-existing technological safeguards and functional backups, the entity restored operations swiftly without total data loss, though some service delays occurred. The incident was reported to national cybersecurity authorities for investigation, with officials noting such attacks typically follow a pattern of infiltration, encryption, and ransom demands.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 1, 2023, cybercriminals executed an attack against Eprinsa, the provincial IT company owned by the Diputación de Córdoba responsible for managing municipal tax systems across Córdoba province. The attackers breached Eprinsa’s network, encrypted portions of its data, and later demanded a ransom payment to prevent public release of stolen information. The incident followed a three-phase pattern typical of such operations: initial system infiltration, data exfiltration and encryption attempts, followed by extortion demands. Eprinsa immediately notified Spain’s National Cryptologic Center (CCN-CERT), the national cybersecurity authority responsible for coordinating incident response, and engaged its technical resources to counter the attack. Due to preexisting backup systems, the attackers failed to fully encrypt Eprinsa’s data repositories, allowing the organization to restore operations rapidly despite temporary disruptions, including delays in publishing the provincial official bulletin (Boletín Oficial de la Provincia).
By early March 2023, the attackers escalated their campaign by directly threatening the Diputación de Córdoba with data disclosure unless payment was made, confirming their intent to monetize stolen information. The Diputación formally reported this extortion attempt to the Guardia Civil, which initiated an investigation pending formal complaint documentation. Eprinsa President Víctor Montoro publicly affirmed that no data loss occurred due to robust backup protocols, though systems experienced significant operational stress during containment efforts. The incident coincided with similar attacks against other Spanish administrative entities during early 2023, though no specific threat actor group or ransom amount was disclosed. Recovery relied entirely on internal backups rather than ransom negotiations, and while service interruptions occurred, core functions were restored without prolonged downtime. The Guardia Civil’s investigation remained active as of March 2023, focused on identifying the perpetrators behind the intrusion and extortion attempt.