MADRID — The Spanish National Police arrested an individual in Madrid on May 27 for leaking sensitive personal data of employees from key state institutions, including the National Cybersecurity Institute (INCIBE), the Civil Guard, and the National Security Council. The arrest followed a raid on the suspect’s residence, where authorities seized computers and other electronic devices for forensic analysis.

According to a police statement, “The investigation, overseen by Madrid Investigative Court No. 22, began after authorities detected the mass dissemination of this data, which created an immediate risk to the security and integrity of both the affected individuals and the institutions themselves.” The police added, “Given the seriousness of the situation, an urgent operation to locate and arrest the perpetrator was launched, culminating last Wednesday, May 27, with the arrest of the perpetrator and a search of his home.”

The leaked information included personal details of personnel from the State Attorney General's Office, INCIBE, the National Police, the Civil Guard, and the National Security Council. Some of the records contained outdated information, including names of individuals who had left INCIBE years earlier. The police press release did not specify whether the suspect was also responsible for breaching institutional portals.

This incident follows earlier disclosures in February, when INCIBE acknowledged an ongoing doxing operation targeting its employees. The institute stated at the time that its systems had not been directly compromised but that data about key personnel had been collected and published through external means. Potential sources of the leaked information include older data breaches, credential dumps, and open-source intelligence (OSINT) tools, which may have been used to compile and correlate curated datasets.

In March, personal data of hundreds of Spanish judges and prosecutors—including full names, national identity (DNI) numbers, personal mobile phone numbers, and professional email addresses—was published on the website Doxbin. The recent leak appears connected to this broader pattern of targeted disclosures. Online forums, including an iteration of BreachForum, were allegedly used to distribute the data under the name ‘Police-ESP-Doxed.’

Investigators are currently examining the seized electronic devices for evidence of additional participants in the data leak. Authorities have not ruled out further arrests as the forensic analysis continues.