-
A threat actor group claims to have stolen facial photos, national ID cards, and personal records from Spain’s General Directorate of the Police.
-
The alleged 13 GB database dump is now circulating on underground forums, covering roughly 40% of Spain’s total population.
-
Spanish authorities have not confirmed or denied the breach, leaving millions of citizens in the dark about their exposure.
A threat actor group identifying as EsqueleSquad, operating under the alias Skull1172, is claiming responsibility for a major breach of Spain’s General Directorate of the Police.
The group alleges it extracted a 13 GB consolidated database containing the personal records of more than 19 million Spanish citizens and politicians. The data has reportedly surfaced on an underground forum, and the cybersecurity community is taking the claim seriously.
According to the actors’ claims, the exposed dataset contains biometric photos, national ID cards (DNI), residence information, email addresses, full names, and other personal details. No independent body has verified the claim, and Spanish authorities have not issued any formal statement confirming or denying the breach at the time of publication.
The alleged scale of the exposure, covering roughly 40% of Spain’s total population, has sent shockwaves through security circles worldwide.
Biometric Data Poses Unique and Permanent Risk
What makes this alleged breach especially alarming is the nature of the data involved. Passwords can be reset. Credit card numbers can be cancelled. A human face cannot be changed.
Security researchers and online commentators quickly flagged this distinction. One user on X (formerly Twitter) pointed out that a leak of this nature goes far beyond conventional identity theft.
According to the post, a database of biometric photos and national IDs sitting on an underground forum becomes a ready-made resource for synthetic document fraud and deepfake operations at international borders. The user described the potential damage as permanent.
Another commenter captured the weight of it differently, noting that submitting biometric data to a government agency should not mean surrendering sovereignty over one’s own identity. That framing resonated widely, drawing significant engagement from users across Europe and beyond.
The story gained rapid traction on X, drawing reactions ranging from alarm to dark humor. One user put it plainly: 19 million Spaniards cannot change their face or their national ID number. That reality, more than anything else, defines why a biometric breach sits in a different category of risk entirely.
Scope of the Breach Remains Disputed
Not everyone accepted the threat actors’ claims at face value. Some voices on X urged measured skepticism about the true scope of the alleged dump.
One commenter pushed back on the idea that Spain’s police hold biometric data on all private citizens. According to that perspective, the national police facial recognition database is not a universal registry.
Citizens with no criminal record and no prior contact with the justice system would not typically appear in it. That rebuttal raised important questions: whose data is actually in this dump, and how accurately do the threat actors’ claims reflect its real contents?
Those questions remain unanswered. The lack of an official response from Spanish authorities has only deepened the uncertainty. Without a formal investigation or disclosure, affected citizens have no reliable way to determine whether their information is part of the alleged exposure.
The broader mood online reflected a growing frustration with data security at the institutional level. One user summed it up bluntly, saying that privacy and decent database protection have become something of a joke lately. Given the relentless pace of major breaches recorded through 2025 and into 2026, that sentiment is increasingly hard to dismiss.
What Citizens Should Do Now
Spanish authorities and national cybersecurity agencies have yet to respond publicly to the claims. That silence, however, does not reduce the risk to ordinary citizens.
Security experts advise affected individuals to monitor official government communications closely in the coming weeks. Phishing attempts and suspicious identity verification requests tend to spike in the aftermath of high-profile breach claims, as bad actors move quickly to exploit public confusion. Citizens should treat any unexpected request for personal details, whether by email, phone, or online form, with heightened caution until authorities issue a clear statement.
The alleged breach serves as a sharp reminder that government databases are not immune to attack, and that when they fall, the consequences can outlast any patch or policy update.
