Data breaches in Spain: what the 2026 AEPD report reveals

357 million people notified of a data breach since 2024. And in the first four months of 2026 alone, the AEPD (Spanish Data Protection Agency) has already received nearly two-thirds of what 2025 saw in total.

The AEPD logs the breach notifications it receives and now publishes the details in an interactive dashboard: volume, sectors affected, victim profiles, severity, attack methods, and geography. This transparency is valuable. Companies can benchmark their risk exposure, DPOs can build a case for their board, and CISOs can right-size their investments.

» Read this article in Spanish

The numbers are stark. Between 2024 and April 2026, the AEPD received 7,041 breach notifications: 2,704 in 2024, 2,600 in 2025, and already 1,737 in the first four months of 2026 alone. At this rate, 2026 will easily surpass both previous years.

Even more striking: March 2026 alone recorded 762 notifications, an all-time high. April followed with 502 new notifications. This isn't statistical background noise anymore — it's a tipping point.

The human scale is staggering: 357 million people notified in total, including 209 million in 2025 alone. The peaks in October and November 2025 (close to 60 million people notified each month) suggest one or more nationwide mega-breaches.

The AEPD report tells us a lot about who gets hit. Unsurprisingly, customers and citizens dominate (268 cases), followed by employees (145). Worth noting: leaks affect external data as much as organizations' internal HR data.

The most sensitive number is elsewhere: 113 breaches involve special categories — data with extra legal protection. And among these, 105 cases involve health data, whether of patients (80) or employees (25). Then: trade union membership (11), genetic data (6), racial or ethnic origin (5), and more rarely, religion, sex life, or political views.

Severity is mixed: 311 breaches are classified as low severity, 98 as medium severity, and 23 as high severity. Another 69 cases have unknown consequences — a blind spot worth watching.

The sector split is obvious. With 97 notifications for tourism and 93 for healthcare, two of Spain's biggest industries account for the bulk of incidents. Behind them: retail (36), education (24), IT services (21), and private insurance (12).

This isn't coincidental. The tourism sector handles enormous volumes of personal data (passports, payment methods, travel data) often shared between multiple partners (hotels, agencies, booking platforms). Healthcare deals in ultra-sensitive data by nature — and its information systems have long been fragmented and hard to secure.

On the map: Madrid (135 notifications), Catalonia (114), and the Valencian Community (52) lead the count. The report also records 81 cross-border breaches, 53 of which involve France. In Europe, risk doesn't stop at national borders.

This is the report's most striking number, by far. Of the 502 notifications filed through the AEPD's online form:

Roughly two in three breaches are deliberate attacks. And by type, 462 hit data confidentiality (compared to 98 for availability and 12 for integrity). Bottom line: these aren't technical failures — they're leaks.

Look at the attack methods:

The top three methods alone (unauthorized access, phishing, ransomware) account for more than 500 incidents. What they share: an attacker gets to real data sitting in a live system. Which raises the question: did that data really need to be there in its real form?

The AEPD's statistics record breaches affecting production systems. But they overlook a reality every CIO knows: production data is systematically copied into other environments — development, testing, QA, training, analytics.

These copies create real risk:

GDPR Article 5 lays down a minimization rule: only process data you actually need for the job. The Spanish LOPDGDD goes further: its Article 72 classifies as a very serious offense "the deliberate reversal of an anonymization process aimed at enabling the re-identification of the data subjects". That's a strong signal — and it sets a high bar: only robust, irreversible anonymization actually protects.

In practice, though, minimization rarely makes it outside production. A developer does not need to know a customer's real name, real address, or real card number to test a feature.

One response actually works: irreversible data anonymization. Unlike security tools that try to block access, anonymization addresses the problem before it starts: it turns real data into fake data, still useful for the business, useless if it leaks.

This distinction matters: anonymized data that leaks is no longer a notifiable breach. Today, it's the only approach that kills the risk at the source instead of trying to contain it.

The AEPD itself pushes these techniques and has published several how-to guides on the subject. The Spanish regulator is one of the most advanced in Europe here.

DOT Anonymizer — ARCAD Software's anonymization solution — is built for complex, heterogeneous information systems. Environments like these are common in tourism, healthcare, banking, and insurance — precisely those highlighted by the AEPD report.

Here's how DOT Anonymizer addresses them:

357 million notifications. 68% intentional attacks. A sharp acceleration in 2026. The AEPD report is unambiguous: data leaks are structural, and they're growing.

Securing production isn't enough on its own. As long as real data lives in test, development, and training environments, the attack surface will stay huge. Anonymization is finally the right-sized response.