Employee records from Spain's Ministerio de Hacienda appeared online on March 10, 2026. The leaked data includes national ID numbers (DNI), bank account numbers (IBANs), phone numbers, physical addresses, full names, and government email addresses with the @hacienda.gob.es domain.
PoliceEspDoxedBF had posted AEAT employee data one day earlier. Two Spanish government agencies were hit within 48 hours by a single actor.
The actor published the Hacienda dump for free. The listing appeared under the title "SPAIN-HACIENDA-GOB-ES-EMPLEADOS" and included a direct download link and a Telegram channel. The actor wrote that the leak "directly affects members of the Ministerio De Hacienda in Spain" and "contains ID numbers, phone numbers, addresses, IBANs, full names, emails." The account was created in February 2026, accumulated six posts, and has since been banned.
Samples posted alongside the listing show structured records. Each entry contains a full name, DNI, phone number, and a ministry email address at hacienda.gob.es. Some entries list a second address at a different government domain.
The total number of affected employees is not known.
IBANs make this dump more dangerous than the earlier AEAT leak. The tax agency dump did not contain banking information. National ID numbers paired with bank account details and government email addresses create a direct path to payroll redirect fraud, targeted phishing, and identity theft through Spain's digital signature systems.
Two agencies hit within days suggests a pattern. The actor may have access to a shared government data source or may be running a coordinated campaign against Spanish public administration employees.
PoliceEspDoxedBF posted the Agencia Tributaria (AEAT) leak on March 9, 2026. That dump reportedly covered staff "of all ranks and ages," and the exposed individuals were not public-facing employees, meaning the leak revealed their affiliation with Spain's tax enforcement agency for the first time.
Spain's Ministerio de Hacienda has faced repeated breach claims in 2026. On January 31, a separate actor calling themselves HaciendaSec claimed to possess a database of 47.3 million Spanish citizens, including DNI/NIF numbers, addresses, IBANs, and tax information. Hackmanac, the threat monitoring platform, detected and reported the claim on X.
The Ministry investigated alongside Spain's National Cryptologic Centre (CCN-CERT). As of February 3, 2026, official sources from the department led by Minister María Jesús Montero said no traces of unauthorized access had been found, according to UpGuard. That claim remains unverified.
Spanish government agencies have been hit from multiple directions since late 2024. The Trinity ransomware group claimed 560 GB of AEAT data in November 2024, with a ransom deadline of December 31. Energy company Endesa disclosed a breach in early January 2026, with an attacker advertising more than 20 million customer records. Spain's Ministry of Science partially shut down its IT systems in early February 2026 after an IDOR (Insecure Direct Object Reference) exploit, as BleepingComputer reported.
As of publication, neither the Ministerio de Hacienda nor the AEAT has commented on the March leaks. Spain's GDPR enforcement body, the Agencia Española de Protección de Datos (AEPD), has the authority to investigate, but no public notice of a probe has appeared.
Affected employees should act now. Ministerio de Hacienda and AEAT staff who suspect their data was exposed should contact their agency's security office, monitor bank accounts for unauthorized transactions, and verify unexpected credential or payment requests through a separate channel.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
