The Data Protection Agency registered 2,675 leaks in 2025 that affected more than 200 million users in Spain. This figure doubles the impact of the previous year, when the compromised data reached 100 million people.
The volume of claims managed by the agency also marked a historic record, reaching 30,900 complaints. This increase of 12,000 cases compared to 2024 reflects greater citizen awareness of digital rights and privacy protection.
Cyberattacks and human errors cause half of the breaches each
Approximately half of the incidents respond to complex cyberattacks such as ransomware or infiltrations in CRM platforms. The other half is due to human errors by omission of basic security measures in information processing.
The identifying personal data are the most exposed in these breaches. The compromised records frequently include names, addresses, ID numbers, and phone numbers. In second place are current account numbers and contracts, while medical histories are affected sporadically.
"The increase in claims is linked to the higher number of incidents and greater citizen awareness of their rights" - Data Protection Agency
The private sector concentrates the vast majority of these episodes of computer insecurity. 81 percent of breaches correspond to private companies, compared to the remaining 19 percent that affects public bodies and companies.
Only 77 sanctions add up to 20 million euros in fines
Of the 2,765 incidents reported during the year, only 77 resulted in effective sanctions or warnings. The fines imposed amount to a total of 20 million euros, a relatively low figure compared to the magnitude of the detected breaches.
Eleven of these breaches are classified as high severity and remain under active investigation by the agency's technicians. The rest of the cases have already been resolved or archived after the corresponding verification procedures.