"The investigation, overseen by Madrid Investigative Court No. 22, began after authorities detected the mass dissemination of this data, which created an immediate risk to the security and integrity of both the affected individuals and the institutions themselves," Spain's National Police said.
Spain's National Police operation (May 27 arrest)
Spain's National Police say they located and arrested an individual on Wednesday, May 27, accused of publishing a large collection of personal data tied to key state organizations. The agency described the publication as carrying "national security risks because of the people exposed." Following the arrest, officers executed a search of the suspect's home and seized computers and other electronic devices that might hold forensic evidence.
Affected institutions named in the published dataset
Authorities identified the sources of the published information as records tied to the State Attorney General's Office, the National Cybersecurity Institute (INCIBE), the National Police, the Civil Guard, and the National Security Council. Spain's National Police characterized those entities as "critical" to the country's functioning and said the dissemination posed an immediate risk both to the affected individuals and to the institutions themselves.
How the data was collected and where it appeared
INCIBE posted in February that a doxing operation was ongoing and emphasized that its own systems had not been directly breached. Instead, INCIBE said the operation involved the targeted collection and publication of data affecting key entities and their employees. The police bulletin and INCIBE pointed to potential sources such as older breaches, credential dumps, and open-source intelligence (OSINT) tools; the data appears to have been aggregated and correlated to produce curated collections.
Some of the leaked records reportedly contained outdated information and even the names of employees who had left INCIBE years earlier. The group identified in reporting as responsible for the leak was called 'Police-ESP-Doxed,' which posted the material in one of the iterations of BreachForum that existed at the time. Separately, in March the personal data of hundreds of Spanish judges and prosecutors was posted on Doxbin and included full names, DNI numbers, personal mobile phone numbers, and professional email addresses.
Investigation oversight and prospects for further action
The National Police said the investigation is being overseen by Madrid Investigative Court No. 22. Police statements made clear they are examining the devices seized in the May 27 search for evidence of additional participants in the operation; officials warned that further arrests could follow as forensic work proceeds. The press release did not state whether the arrested individual was also responsible for breaching any institutional portals, and the police did not confirm a technical compromise of INCIBE systems.
What this means for technologists, policymakers, and affected employees
- Technologists and security teams: The incident underscores risks from aggregated datasets assembled from legacy breaches, credential dumps, and OSINT. Security teams tied to the named organizations will likely focus on verifying whether internal systems were accessed, validating account hygiene, and hunting for reuse of credentials or correlated data sets circulating publicly.
- Policymakers and judicial overseers: The investigation's placement under Madrid Investigative Court No. 22 and the swift operational response from the National Police illustrate how judicial authorities and law enforcement are being involved when leaks implicate national security risks and critical state institutions.
- Affected employees and the public: Individuals named in the published collections — including some whose employment records are outdated — face exposure of personal identifiers and contact details, as demonstrated by the March Doxbin publication of judges' and prosecutors' DNIs, mobile numbers, and professional emails.
The case centers less on a single technical intrusion than on the assembly and publication of sensitive records drawn from multiple sources and amplified by online leak platforms. With seized devices currently under forensic review and the possibility of further arrests, the immediate facts are a reminder that vulnerability in the digital age often arrives by aggregation: old leaks, public data, and targeted collection can combine to create fresh national-security and privacy consequences.
