The Lopesan hotel group has been the victim of a cyberattack that has resulted in the mass extraction of personal data of millions of customers. Unlike other companies, Lopesan has reportedly chosen to downplay the incident, which has raised concerns among its customers and staff. In April 2024, Lopesan Hotels Group reported that it was the target of a cyberattack by the well-known RansomHouse group that had previously compromised other entities such as the Hospital Clínic de Barcelona. Preliminary analysis indicates that approximately 650 GB of confidential data has been compromised.
Since the attack became known, Lopesan has activated security protocols to contain and mitigate the effects of the incident. However, people who are related to the chain have expressed their discontent, as they have been transferred from one office to another without the problem apparently having been resolved, according to them. The compromised data includes names, surnames, dates of birth, ID or passport, emails and telephone numbers, cards and IBAN. In addition, some clients and employees have reported suffering phishing and identity theft attacks since they stayed in the chain's hotels. Lopesan has recommended that its clients pay attention to suspicious communications and avoid clicking on links from unknown sources. The company has also urged its clients not to respond to suspicious messages or open files from untrustworthy sources.
Personal data breaches can have considerable adverse effects on individuals, potentially causing physical, material or immaterial damage. It is essential to manage them appropriately to prevent the rights and freedoms of individuals from being compromised. In this case, Lopesan has chosen to minimise the incident rather than giving it the appropriate dimension, as happens with Ibex companies when they are attacked. Article 33 of the General Data Protection Regulation (GDPR) imposes on those responsible for processing personal data the obligation to notify the competent supervisory authority of personal data breaches when they are likely to constitute a risk to the rights and freedoms of individuals. The AEPD offers the ASESORA BRECHA tool to assist in decision-making.
Data controllers must assess the level of risk of a personal data breach and notify the supervisory authority within 72 hours of the organisation becoming aware of the breach. When the risk is high, they must also communicate the breach to the affected individuals in accordance with Article 34 of the GDPR. Notifications of personal data breaches to the AEPD must be made electronically, using the personal data breach notification form on the Electronic Office to ensure correct execution of the obligations of Article 33.3 of the GDPR. Notification to the supervisory authority is part of the proactive responsibility established in the GDPR, and the fact of notifying it does not necessarily imply the opening of an administrative procedure. Complying with this obligation in a timely manner is evidence of the diligence of the organisation.
In cases where the controller considers that there are no risks to the rights and freedoms of natural persons, the controller is obliged to document any breach of personal data security, including the related facts, its effects and the corrective measures adopted. This documentation will allow the supervisory authority to verify compliance with the provisions of Article 33 of the GDPR. In order to assist in the obligation to notify personal data breaches to the supervisory authority, the AEPD offers indications in the Guide for the notification of personal data breaches, as well as other resources in the innovation and technology section.
