Hackers demand millionaire ransom for 560GB of Spaniards' tax data

Hackers demand millionaire ransom for 560GB of Spaniards’ tax data

December 16, 2024

Spaniards’ tax data is under attack. The Spanish Tax Agency defends that it has not been the target of a cyberattack claimed by the hacker group Trinity. Instead, the public body points to an external, private company without connection to the tax authorities. However, criminals are believed to hold up to 560GB of taxpayer data and are demanding up to US$38 million to prevent the release of this information, with the payment deadline set for the last day of the year.

According to Spanish authorities, the compromised entity is a private firm in the field of tax and labour consultancy that, due to the nature of its activities, handles tax data for small businesses and individual clients. The cybercrime organization Trinity, which claimed the attack, has never contacted the Tax Agency to demand a ransom or to prove the alleged possession of taxpayer data.

“During the investigation, information was gathered about the possible contents this group might have obtained, and it was confirmed that it did not correspond to data held by the Tax Agency. The reported incident does not involve this organization; rather, according to the information available to the Agency, it appears to have affected a private entity in the field of tax and labor consultancy,” reads a statement from the Spanish tax authorities.

Since Sunday, December 1, the publication of news about a possible data breach attributed to Trinity, known for its ransomware attacks, the Tax Agency has been “working intensively to verify whether its systems could have been compromised,” according to the authorities. They add that “after a thorough analysis,” they confirm no evidence that its systems or the data under its custody have been affected.

Trinity has been linked to the dismantled cybercrime organization Lockbit. This year, an international law enforcement operation led by Britain’s National Crime Agency and the FBI arrested and indicted members of the ransomware gang.

According to the US Health Sector Cybersecurity Coordination Center, “a total of seven Trinity ransomware victims have been identified to date,” including two healthcare providers in the United States and one in the United Kingdom.

Hackers demand millionaire ransom for 560GB of Spanish taxpayers’ data — Hacking – Pexels

US$38 Million ransom

The question of the US$38 million in revenue that Trinity displayed on its website as the alleged “revenue” of the hacked victim remains unresolved, with some interpreting this as the ransom amount demanded. It is unclear if the hackers mistook the external company for the Spanish tax authorities.

“With this information, the Tax Agency affirms that, in relation to this case, its systems have not been compromised and that the data of taxpayers under its custody have not been compromised at any time,” the statement explains.

However, public institutions such as the Spanish Traffic Administration (DGT) and the Public Employment Service (SEPE) have been the target of successful hacking attempts in recent years. According to the DGT, data from 27 million drivers was sold this year in specialized forums. Additionally, in 2021, SEPE suffered two large-scale cyberattacks that completely paralyzed its services for several days.