Globalcaja cyber attack

The ‘Play’ ransomware group has added Spanish Bank Globalcaja to its list of victims after compromising systems and stealing clients’ private and sensitive data. 

The hacker group claimed on its Tor leak site on Thursday it has access to clients’ employee documents, passports, contracts and more, and is threatening to publish the data on June 11, 2023, if the bank does not pay the ransomware. 

Globalcaja confirmed that it had fallen victim to a ‘cyber incident’ in a press release published on Thursday, stating that its incident response procedure was temporarily limiting operations but that no client account data had been compromised. 

“[The attack] has not affected the transactions of the entities, nor the accounts or the agreements of clients,” read Globalcaja’s translated statement.  

“From the very beginning, we activated the security protocols created for this purpose, which led us to disable some office posts and temporarily limit the performance of some operations.

“We continue to work hard to finish normalising the situation and are analysing what happened, prioritising security at all times.”

Globalcaja said it was investigating the incident and has notified local authorities of the attack, but it has yet to disclose which data has been stolen. 

The Spanish Bank is one of the largest banks in Spain, providing banking services to more than half a million clients with 300 offices across the country. 

It is just one of the latest Spanish institutions to fall victim to cybercriminals in 2023, with the country experiencing more cyberattacks this year than ever before.

In March, two major attacks struck on the same day – leaving a hospital in Barcelona paralysed and one of the biggest amusement parks in the country unable to operate. 

Play ransomware strikes again

The attack of Globalcaja marks the latest in a series of large-scale attacks orchestrated by the Play ransomware group. 

The hackers first surfaced in July 2022, targeting large Spanish-speaking banking and government organisations in Spain and Latin America –  but it also has a tendency of deploying attacks on Indian Hungarian and Dutch companies as well.

The hackers previously claimed responsibility for an attack against Rackspace earlier this year, which led to the exposure of sensitive data including passport information and student identity cards. 

They were also behind the ransomware attacks on the City of Aukland, the German hotel chain H-Hotels, and the State of New York (SUNY) Polytechnic College last year. 

‘Don’t give in’

It is yet to be known whether Globalcaja has engaged with the Play hackers or paid any ransomware demands. 

But Martin Mackay, CRO at Versa Networks said the attack aligns with a long-standing trend of ransomware groups targeting financial institutions due to the volume of personal and sensitive data they hold and process. 

“Targeting client information and threatening to leak data can not only result in financial damage but also jeopardise the values and the reputation of the bank, Martin said. 

Whilst it’s unknown if Globalcaja has paid Play’s ransom demands, the most important thing in this situation is to not give in to any demands. 

“Paying the ransom is no guarantee that stolen data will be returned or not leaked, and it only fuels further cybercriminal activity.”