How are our data truly secure?

BarcelonaCompanies and organizations that suffer data breaches have developed a comforting narrative: "We detected it, patched the security hole, and it won't happen again." The problem is that this mantra ignores an uncomfortable reality: once data has been extracted, it is almost impossible to stop its spread on the dark web, where it can circulate for years. We review three incidents—two very recent ones, Endesa and Spotify, and one older one, the Consorcio Sanitario Integral (the entity that includes the Broggi Hospital in Sant Joan Despí)—as distinct examples of this ongoing crisis and the corporate efforts to reduce the reputational impact.

Endesa's operational data

Two days before Three Kings' Day, a hacker calling himself Spain posted on BreachForums that he had obtained more than 1 terabyte of information from Endesa. He boasted of having extracted it in just two and a half hours, but the electricity company took a whole week to notify its customers. The statement referred to a "security incident"—never a "theft"—and was quick to assure everyone that passwords were intact. Imagine the relief, when someone already has your ID number, bank account details, supply point, and full address.

This is classic operational data theft: the information a company collects about its customers to manage the service. A study by the University of Wisconsin indicates that 40% of breach notifications include the phrase "we have no evidence of misuse." The problem is that companies cannot track what happens to the data once it leaves their systems.

Furthermore, the Endesa case highlights a disturbing aspect. The electricity company has informed people who ceased being customers years ago that their data has been stolen. Why did they still have it? The regulatory labyrinth of the GDPR allows for the retention of former customer data for five or six years for tax purposes, but there's a difference between keeping it and protecting it adequately. Let's remember that the Spanish Data Protection Agency already fined Endesa €6.1 million in 2023 for a previous breach in which data was sold through Facebook ads (thanks, Mark Zuckerberg!).

This hacker claims to have 20 million records. Endesa says 3 million. The actual number of active customers is around 10 million. This data is already circulating, and some affected customers have already reported fraudulent calls.vishing) who try to make them switch electricity providers.

Spotify: when what they steal is the product

In December, the mysterious website Anna's Archive announced it had "backed up" virtually all of Spotify: 256 million songs in metadata and 86 million audio files, nearly 300 terabytes of music. We're not talking about operational data on customers here, but the content that is the service's lifeblood. The collective, known for archiving out-of-print books and academic articles, presents it as a project to "preserve humanity's musical heritage." Spotify acknowledged the "unauthorized access" but insisted that no user data had been compromised. It deactivated the accounts used and implemented "new safeguards." The implicit message: this doesn't affect you, keep paying us to listen. But 300 terabytes of music are already available via torrents, and no security update will make them disappear.

This particular incident raises fascinating questions beyond the crime itself: with all the metadata and files available, it opens up the possibility of creating music analysis tools, alternative recommendation systems, or even decentralized platforms that circumvent Spotify's monopoly. The "preservation" that Anna's Archive proclaims could end up being unexpected competition.

Health Consortium: the unforeseen collateral damage

In 2022, RansomExx published 52 gigabytes of data from the Consorci Sanitari Integral de Catalunya, extracted as part of an attack ransomware A double extortion: before encrypting the victim's information to demand a ransom, the criminals keep copies: patients' ID cards, medical records, even hospital on-call schedules. The organization described the leak as a "small volume of data." This case illustrates the third type of theft, perhaps the most disturbing: the collateral damage of personal data that should never be on corporate systems.

News reports often focus on operational data—patient data, in this case—but thefts of employees' personal documents are often just as, if not more, dramatic. At the time, I was able to examine a sample of the loot: it contained everything from boarding passes and hotel reservations to school reports and children's photo albums belonging to employees who had saved them on work servers. This intimate information, which the company didn't even know it was storing, ends up circulating on the same dark web as the data. officers.

An irreversible evil

The three organizations followed the same script: acknowledge the incident, assure everyone that the vulnerability had been "closed," and minimize the reputational consequences. But these guarantees about having "plugged the hole" are irrelevant when the data is already circulating on the dark web. In these clandestine markets, a complete identity sells for between €15 and €200. These databases can remain active for years, resold again and again, resurfacing in increasingly sophisticated attacks thanks to AI-powered personalization. Endesa's data, Spotify's metadata, or the Consorci Sanitari's children's albums won't disappear just because someone updated their firewall. While companies proclaim that "data security is a strategic priority," perhaps a more basic question should be asked: given the results, what exactly does this supposed priority mean? The answer will come in the next data breach notification you receive. It will be written in impeccably ambiguous language, guarantee that the passwords are secure, and urge you to "take extra precautions." Precautions that, obviously, you should never have needed.