The Government has acknowledged an erroneous leak of 6,771 personal data in the Register of Aid and Subsidies of Catalonia, a database linked to the Department of Economy and Finance. The incident was detected last March 10 and led to the interruption of the service upon verifying that part of the exposed information corresponded to personal data of beneficiaries.
From Economy they specify that the problem was located in records of aid coming from local entities sent through the National Database of Subsidies. The department maintains that a general affectation has not been detected on the Generalitat's own data.
The incident caused the massive removal of records
The failure is behind the initial interruption of the full service and also the sudden disappearance of about a million Generalitat grant records. That withdrawal became visible after the activity of Subvencions.cat, a public aid search engine developed from data from the Catalan administration, came to light. At that time, the executive generically attributed the service outage to a technical problem.
Economy now explains that the disconnection was decided as soon as it was detected that some data included personal information. Subsequently, it was verified that the affected records corresponded to identifiers different from the DNI or NIE, as occurs with some passports, which had bypassed the anonymization filters.
Impact limited to beneficiaries of local aid
The incident affected about 7,000 beneficiaries. The department specifies that only data from local entities were compromised and emphasizes that there is no general impact on the Generalitat's data. Autonomous subsidies, it adds, could be consulted normally the next day and with the same information once it was verified that confidential data remained protected by existing controls.
In parallel, the Govern assures that it continues working to resolve as soon as possible the incident affecting the data of local entities. Meanwhile, it maintains that those subsidies can be consulted in the state database.
Data protection and open research
The process has already been communicated to the Catalan Data Protection Authority, which was promptly informed of the incident. The authority has already launched an investigation to clarify what happened and determine the extent of the failure.
From Economy they point out that the control system is already being modified to avoid new similar episodes. The department states that the entire supervision format is being changed and adapted to new filters, with the aim of reinforcing the anonymization of the records that arrive from local entities.