The number of people affected by data breaches triples over the past year

In 2025, the Catalan Data Protection Authority (APDCAT) recorded a total of 232 notifications of security breaches (NSBs), a 27.4 % increase compared to the previous year. These are security breaches within public bodies or private entities performing public functions in Catalonia.

The incidents affected at least 730,000 people, three times more than the previous year. However, the figure could be even higher, given that in eighteen cases it was not possible to determine the number of affected individuals. The increase is explained by the rise in reported cyberattacks, including both ransomware attacks and malicious access to systems resulting from stolen credentials, incidents that typically involve many affected individuals.

In this regard, cyberattacks have increased by 70 % since 2024, rising from 17 % of total incidents in 2024 to 30 % in 2025. Together with thefts of devices and documentation, which account for 6% of incidents, these malicious external acts represent the second leading cause of security breaches reported to the Authority, increasing from 33 % in 2024 to 36 % in 2025.

As for cyber incidents, it should be noted that they increasingly involve the exfiltration of information. At present, organizations are better prepared to restore information in a short period of time and can therefore cope with encryption, whereas preventing the publication or sale of data poses greater challenges and may be more profitable for attackers. Following a security breach of this nature, many entities, in compliance with regulations, have implemented two-factor authentication and adopted measures to help staff detect malicious messages.

The leading cause of recorded data security incidents continues to be human error (58 %), a figure almost identical to that of the previous year (59 %). This includes accidental improper disclosures of information, erroneous sending of communications, and configuration errors that have allowed unauthorized access. On the other hand, malicious internal acts, that is, data security breaches caused by the abuse of access privileges by employees who extract, copy, or forward data without authorization, account for 5 % of incidents and remain the third leading cause, with little variation compared to previous years.

Communication to affected individuals

Regarding the communication of security breaches to affected individuals, which must be carried out when the breach entails a high risk to those affected, this obligation was fulfilled in almost 60 % of cases in 2025, the same as in the previous year. Of this 60 %, the APDCAT only had to require such communication from data controllers in 5 % of the reported incidents, while the remaining 95 % did so on their own initiative. It is important to note that timely communication is essential to alert affected individuals to potential risks arising from a security breach, such as fraudulent use of data or identity theft.