Spanish authorities have arrested two suspects in connection with a large-scale data theft targeting the regional education system of Castilla-La Mancha. Nearly 10 million records belonging to students, parents, and educators were stolen and subsequently sold on underground forums. Two individuals were detained in Valencia and Torreblanca (Castellón) and have appeared in court in Zaragoza facing charges including revealing secrets, damaging information systems, money laundering, and participation in a criminal organization.

What Happened

In a coordinated operation involving police units from Valencia, Madrid, and Castellón, two suspects were arrested as part of an investigation into at least 30 cyberattacks across various systems. The Castilla-La Mancha regional education platform was among the primary targets. Investigators determined the pair were members of a broader organized group with prior cybercrime experience, operating across multiple European countries. The stolen data was monetized through underground forum sales, direct fraud, and identity theft operations. Cryptocurrency and international exchange services were used to launder proceeds, deliberately complicating financial tracing.

What Was Taken

Approximately 10 million confidential records were exfiltrated, including:

The data scope — spanning an entire regional education system — makes this one of the largest confirmed education sector breaches in Spanish history. Records were actively circulated on dark web forums and used directly for fraud and identity theft, meaning exposure is not theoretical.

Why It Matters

Education platforms are systematically underinvested in security while holding high-value PII on minors and families. This incident is a textbook illustration of why: a regional education authority was running platforms without multi-factor authentication, leaving millions of records accessible to what investigators describe as a technically sophisticated but not nation-state-level threat actor. The criminals operated a transnational infrastructure across multiple European countries, ran cryptocurrency laundering at scale, and executed at least 30 attacks — suggesting a professional operation, not opportunistic script kiddie activity. Spain recorded 160 attacks on critical infrastructure in 2024 alone. The education sector, despite holding sensitive data on minors, rarely appears in those statistics — which is exactly why it's a soft target.

The Attack Technique

Full technical intrusion details have not been publicly disclosed, but investigators confirmed:

The suspects were described as having prior cybercrime experience and learning through specialized forums — consistent with an established Eastern European or domestic cybercrime model where skills are developed and traded within closed communities.

What Organizations Should Do

  1. Enforce MFA immediately on all education and public sector platforms — Castilla-La Mancha only implemented 2FA after the breach. This is table stakes for any platform holding PII.
  2. Audit data minimization practices — Regional education platforms have no reason to retain 10 million active records without strict retention and segmentation policies.
  3. Monitor dark web exposure — If your organization handles student or staff PII, check breach intelligence feeds for data already in circulation.
  4. Implement anomalous access detection — Bulk data exfiltration at this scale leaves detectable patterns; behavioral analytics on access logs would have surfaced this earlier.
  5. Assume breach for affected individuals — Students, parents, and staff in Castilla-La Mancha should be treated as compromised; phishing and identity fraud targeting these individuals is likely ongoing.
  6. Map cross-jurisdictional data flows — If your platforms share data with third-party services across EU member states, confirm GDPR breach notification obligations are being met within the 72-hour window.

Sources