Spain’s 2025 data breach landscape: 2,765 notifications and over 200 million people hit by high-risk incidents

The Spanish Data Protection Agency (AEPD) has published its latest statistics on personal data breach notifications. In 2025, controllers submitted 2,765 notifications to the AEPD. While the overall number of incidents appears to be stabilising, the scale of high-risk breaches requiring notification to individuals has grown dramatically, exceeding 200 million people.

In this post, we summarise the key findings and identify the main trends that organisations should have on their radar.

Key statistics: stable volumes, escalating impact

The AEPD's 2025 figures show a mixed picture: slightly fewer notifications than last year, but incidents affecting far larger populations:

• 2,765 total breach notifications in 2025

  This represents a decrease of around 6% compared with 2,933 notifications in 2024, but remains significantly above the 2,004 notifications in 2023. Overall, notification volumes appear to be stabilising at a higher baseline than before.

• Over 200 million individuals notified following high-risk breaches

  Controllers notified over 200 million affected individuals in 2025, a doubling from approximately 100 million in 2024 and continuing an upward trend from around 17 million in 2023. This exponential growth reflects the increasing scale and severity of cyberattacks, particularly those targeting data processors and large platforms.

• Very low percentage of cases escalated

  Only 11 notifications (less than 0.4% of the total) were referred by the AEPD for formal investigation. Rather than suggesting that notified breaches are “risk‑free” from an enforcement perspective, this low escalation rate indicates that the authority is highly selective and appears to concentrate its resources on a relatively small number of high‑impact or higher‑risk incidents.

• Private vs public sector split

  Around 80% of breaches originated in the private sector and 20% in the public sector. This is broadly consistent with previous years, though the public sector’s share has increased gradually over time (from around 16% in 2023 and 18% in 2024).

Highest-impact breaches of 2025

The incidents impacting the largest numbers of individuals continued to be driven mainly by a small number of attack vectors:

1. Ransomware attacks – Attacks encrypting systems and demanding payment to restore access or prevent publication of exfiltrated data remain a dominant cause of large‑scale breaches.
2. System intrusions and data exfiltration – Unauthorised access to internal systems has led to the extraction of large volumes of personal data, often over long periods before detection.
3. Attacks on data processors (supply chain attacks) – A growing number of major incidents have stemmed from compromises of large service providers, particularly customer relationship management (CRM) platforms. A single compromise at processor level can have cascading consequences for many controllers and millions of individuals.

For these high‑impact incidents, the AEPD notes that the most common entry was access to corporate virtual private networks (VPNs) or web applications using compromised user credentials. This typically involves credential stuffing (attackers re‑using username and password combinations leaked from other services), brute‑force attacks on poorly protected accounts, and exploitation of weak or absent multi‑factor authentication (MFA).

The authority reiterates that MFA is one of the most effective and proportionate controls to mitigate these risks.

Not all breaches are cyberattacks, however. The AEPD continues to see high numbers of incidents involving:

• Misdirected communications, such as emails or letters sent to the wrong recipient; and
• Inadvertent disclosures, such as documents being made publicly accessible on websites or shared drives without appropriate access controls.

These human‑error incidents typically affect fewer individuals, but can still present significant risks in certain contexts (for example, where sensitive categories of data are involved). 

Three-year trend: fewer notifications, much larger scale

Looking across the last three years, a clear trend emerges:

Notifications to the AEPD

• 2023: 2,004
• 2024: 2,933 (up 46% year on year)
• 2025: 2,765 (down 6% year on year, but still 38% above 2023)

This suggests that the sharp increase seen in 2024 has plateaued, but that organisations continue to operate in a heightened risk environment. It may also reflect greater familiarity with the notification rules, making organisations more confident in their internal risk assessments and less inclined to “over‑notify”.

Individuals notified due to high-risk breaches

• 2023: approximately 17 million
• 2024: over 100 million
• 2025: over 200 million

This represents a twelvefold increase over two years in affected individuals notified in relation to high‑risk breaches, driven largely by a relatively small number of very large‑scale incidents. The data indicates that while the number of reportable breaches may not be rising sharply, the impact of those breaches is expanding significantly.

On the enforcement side, regulatory interventions have not grown in line with the scale of impact:

• The AEPD referred only 11 cases for investigation in 2025, compared with 15 in 2024, and 16 in 2023.
• This is the lowest escalation rate recorded in the period, despite higher notification volumes and significantly more individuals being affected. 

This suggests a clear supervisory focus on the most impactful cases, as reflected in several multimillion‑euro fines imposed in recent years for large‑scale data breaches.

Understanding the notification obligation

Under Article 33 of the GDPR, data controllers must notify the competent supervisory authority of a personal data breach unless it is unlikely to result in a risk to the rights and freedoms of affected individuals.

The AEPD reiterates several important points:

1. Notification is part of accountability

   Submitting a breach notification is not an admission of wrongdoing. It is a concrete expression of the controller's accountability obligations under the GDPR.

2. Notification does not automatically mean investigation

   Filing a notification does not in itself trigger an administrative investigation. On the contrary, timely and complete notifications are typically viewed as evidence of responsible behaviour.

3. Failure to notify is an infringement

   Not notifying when required constitutes a breach of the GDPR, and can be a standalone basis for enforcement action.

Beyond supervisory authority notification, Article 34 GDPR requires controllers to inform affected individuals without undue delay where a breach is likely to result in a high risk to their rights and freedoms. Clear and practical communications allow individuals to understand the potential impact on them, and individuals can then take concrete protective steps, such as changing passwords, monitoring accounts or contacting their bank.

The AEPD identified a controller's reluctance or refusal to communicate with affected individuals as a key factor in deciding whether to refer a breach to its inspection services for investigation.

Key takeaways for organisations

The 2025 statistics convey a clear message: although the number of breach notifications has stabilised, the scale and severity of the incidents behind those notifications continues to grow. Cybersecurity is not only an information technology issue; it is a strategic risk, with direct implications for regulatory, financial and reputational exposure.

In practice, organisations should:

• Strengthen preventive measures, especially:
  • implementing and enforcing multi‑factor authentication;
  • hardening remote access (VPNs, web applications) and monitoring for anomalous access patterns; and
  • managing third‑party and supply‑chain risks, particularly where data processors handle large volumes of personal data;
• Enhance incident response capabilities by:
  • maintaining and regularly testing incident response plans;
  • defining clear internal roles and escalation paths (including to legal and privacy teams); and
  • preparing communication templates for supervisory authorities and affected individuals; and
• Review breach assessment and notification processes to ensure:
  • consistent risk assessment of incidents against GDPR thresholds;
  • timely submission of complete notifications; and
  • transparent, helpful communication with individuals where required.

The decreasing rate of investigations despite growing impact shows that supervisory authorities value transparent and structured breach management. Organisations that invest in robust governance, technical controls and incident response are better positioned both to reduce the likelihood and impact of breaches and to manage regulatory expectations when incidents do occur.

If you would like to discuss what these trends mean for your organisation, or need support in reviewing your incident response and notification procedures, please feel free to contact our data protection team.