HaciendaSec Claims Data Breach on Spain’s Ministry of Finance

Key facts: Ministerio de Hacienda data breach

• Date reported: February 3, 2026.
• Threat actor: HaciendaSec
• Target entity: Ministerio de Hacienda y Función Pública (hacienda.gob.es).
• Records involved: Claimed access to data for 47.3 million citizens.‍
• Data types: Allegedly includes tax identification numbers, names, addresses, phone numbers, email addresses, and bank details.‍
• Status: Unverified; the Ministry has officially denied finding evidence of a breach in its internal systems.‍
• Severity: Medium; classified as informational pending the verification of the leaked data's authenticity.

What happened in the Ministerio de Hacienda data breach?

The Ministerio de Hacienda y Función Pública (hacienda.gob.es) was the subject of an alleged security incident reported on February 3, 2026. A threat actor identifying as HaciendaSec claimed to have breached the ministry's internal databases, offering an extensive collection of tax and personal data for sale on a dark web forum. The claims suggested that the database covers nearly the entire population of Spain, affecting approximately 47.3 million citizens.

In response to these allegations, the Ministry, in coordination with the National Cryptologic Centre (CCN), launched an immediate forensic investigation. As of February 3, 2026, official sources from the department led by María Jesús Montero have stated that no traces of unauthorized access or data exfiltration have been found within their network. Authorities are currently investigating whether the "HaciendaSec" claims are a hoax or if the data originated from a different, less secure source.

Who is behind the incident?

HaciendaSec is the threat actor claiming responsibility for the alleged attack. While the actor’s specific origins are currently unknown, their moniker suggests a focused interest in Spanish financial and tax institutions. The actor attempted to monetize the situation by advertising the database on dark web marketplaces frequented by cybercriminals.

Security analysts are evaluating whether HaciendaSec is a sophisticated group or an opportunistic actor attempting to pass off old, recycled data from previous breaches as a new "Hacienda" leak. The Spanish National Cryptologic Centre continues to monitor the actor's footprint to determine their actual capabilities and the legitimacy of the provided data samples.

Impact and risks for Ministerio de Hacienda customers

If the claims made by HaciendaSec are verified, the potential exposure of tax identification numbers (DNI/NIF), bank account details, and postal addresses would pose a severe risk to Spanish citizens. Such data is highly valuable for identity theft, financial fraud, and highly targeted phishing campaigns. Malicious actors could use tax-specific details to craft convincing social engineering attacks that impersonate official government communications.

Despite the Ministry’s current denial of a system breach, the reports alone can cause significant public concern. Citizens are encouraged to remain vigilant against unsolicited communications regarding their taxes or bank accounts. Proactive transparency from the Ministry remains critical as the investigation continues to ensure that any potential downstream risks are mitigated.

Frequently asked questions

What happened in the Ministerio de Hacienda security breach?

On February 3, 2026, an actor named HaciendaSec claimed to have stolen a database containing the personal and tax information of over 47 million Spanish citizens from the Ministry of Finance. However, the Ministry has since released a statement denying that any such breach occurred within its systems.

When did the Ministerio de Hacienda breach occur?

The claims were publicized on February 3, 2026. Forensic teams investigated the ministry's network for signs of an intrusion occurring in late 2025 or early 2026 but found no evidence of unauthorized activity.

What data was exposed?

The threat actor claimed the data included full names, DNI/NIF numbers, addresses, phone numbers, emails, and banking information. To date, no evidence has been provided to confirm that this data was actually exfiltrated from the Ministry's servers.

Is my personal information at risk?

While the Ministry has denied a direct breach, you should always remain cautious with your tax and financial information. If the data being sold on the dark web is legitimate, it may have come from a third-party partner or an older leak. It is advisable to monitor your bank accounts for any unusual activity.

How can I protect myself after this data breach?

• Use strong, unique passwords for your Cl@ve or Tax Agency (Agencia Tributaria) digital certificates and portals.
• Enable multi-factor authentication (MFA) on all financial and government-related accounts.
• Monitor your bank statements closely for small, unrecognized transactions.
• Be wary of "phishing" emails or SMS messages (smishing) that claim to be from the Tax Agency, especially those requesting urgent payments or bank details.
• Utilize data breach monitoring tools to see if your information appears in any verified dark web datasets.

What steps should companies take after being impacted by this breach?

Government agencies typically follow strict protocols by engaging national cybersecurity centers, isolating systems for forensic analysis, and providing public updates to prevent panic. In this case, the Ministry is continuing to monitor its systems and has re-emphasized its commitment to data security despite the unverified nature of the HaciendaSec claims.