Bizum, one of Spain’s most popular payment tools, is facing its toughest moment yet. What many thought impossible has been confirmed: a data breach exposed the personal information of over 20,000 users, and the worst part is that no one was informed in time.
The Spanish Data Protection Agency (AEPD) has fined the company after discovering that the leak—occurring in 2022 but concealed until 2023—allowed part of the information to end up for sale on the Dark Web.
A Story That Started Earlier Than You Think
Although the breach was only recently revealed, the vulnerability dates back to 2020. A user discovered that Bizum’s system could be exploited with a simple script that simulated money transfers.
Before the transaction was canceled, the system displayed names and phone numbers of other users, allowing attackers to create complete databases through scraping (automated data extraction).
The user reported the flaw to both Bizum and the AEPD, and the company claimed it had fixed the issue by blocking accounts with more than 30 failed attempts and reinforcing controls. The agency, trusting those actions, closed the case.
However, in 2022, the worst was confirmed: a hacker exploited the same vulnerability that was supposedly fixed.
The Attack Bizum Tried to Keep Quiet
In September 2022, one of the partner banks detected unusual activity lasting only two hours—but long enough to extract the data of 20,070 users.
The attacker didn’t steal money or passwords, but did access names, initials, and phone numbers. At first, the damage seemed minor, but the real issue was what came next: Bizum didn’t notify the affected users.
For months, the company kept the incident secret, arguing the risk was “low.” It wasn’t until November 2023, over a year later, that a database with 2,634 extracted records appeared for sale on the Dark Web.
The leaked phone numbers ranged between 600 000 000 and 600 007 494. Only then—when the evidence became public—did Bizum inform the AEPD.
Learn more: Alert! Netflix account leak affects users in Mexico
The AEPD’s Response: Fines and a Warning
The Spanish Data Protection Agency quickly responded, ruling that Bizum acted negligently by failing to detect the breach in time or inform affected users.
According to the AEPD, Bizum’s internal alert system completely failed, and the lack of communication eroded user trust. The agency imposed a €100,000 fine, reduced to €80,000 for voluntary payment.
Bizum must now comply with several requirements:
- Implement stronger security measures.
- Limit internal access to personal data.
- Prove to the AEPD that the vulnerabilities have been corrected.
What Data Was Exposed (and What Wasn’t)
The good news: no passwords or banking information were leaked.
The compromised data included:
- Full names (or initials in some cases).
- Phone numbers.
Still, this is far from harmless. Such information can be used for phishing, impersonation, or targeted fraud. For instance, scammers could pose as your contacts or trusted services using this data.
Cybersecurity experts agree: any personal data has value. In the cybercrime ecosystem, even small leaks are combined with other breaches to build full identity profiles.
How to Check If You Were Affected
If your phone number falls between 600 000 000 and 600 007 494 and you use Bizum, there’s a chance your data was exposed.
Although Bizum claims to have removed the leaked files with the help of a cyberintelligence firm, there’s no guarantee that copies aren’t circulating online.
At TecnetOne, we recommend taking the following precautions:
- Be skeptical of unexpected messages or calls—Bizum will never ask for verification codes by phone or SMS.
- Enable banking alerts to detect unusual activity.
- Avoid sharing your phone number publicly or on social media.
- Change passwords if you reuse them across different services (even if this breach didn’t include credentials).
- Report any suspicious messages to your bank or directly to Bizum.
Bizum’s Statement on the Breach
After the leak became public, Bizum issued a statement acknowledging the breach, though insisting there was “no real risk for users.”
The company stated that the leaked data couldn’t be used to perform transactions or access accounts. However, it admitted underestimating the original vulnerability and announced a full review of its systems and alert protocols.
Bizum also added new early detection tools and increased oversight among its partner banks.
Despite these actions, public trust has been shaken. For years, Bizum was synonymous with security and convenience; now, its reputation hangs in the balance.
You might also be interested in: Hacker Leaks TikTok Passwords of Mexican Users on Telegram
Cybersecurity Lessons from the Bizum Case
At TecnetOne, we see this as a textbook example of how a small vulnerability can have major consequences when transparency and speed are lacking.
Key takeaways include:
- No system is infallible. Even the most secure platforms are vulnerable if they become complacent.
- Early detection is vital. The longer it takes to detect a breach, the worse the reputational impact.
- Timely communication with users is not optional—it’s a duty.
- Personal data always has value, even seemingly trivial details.
- Continuous monitoring and external audits are essential for critical digital infrastructure.
Conclusion: Trust Is the True Asset to Protect
The Bizum breach leaves one clear lesson: security doesn’t end when the incident is contained—it ends when user trust is restored.
Even though no accounts or money were compromised, the lack of transparency and poor communication were as damaging as the attack itself.
At TecnetOne, we believe cybersecurity isn’t just about protecting data—it’s about protecting relationships. Trust is built with transparency, accountability, and continuous action.
If you’re a Bizum user, stay vigilant, monitor your communications, and never share personal data through unverified channels.
