Play ransomware gang says it's behind attack on major Spanish bank

Globalcaja branch office in Madrid, Spain
(Image credit: Getty Images)

Globalcaja, one of Spain’s largest banking institutions, has fallen victim to a ransomware attack said to have been orchestrated by the Play ransomware group. 

The ransomware gang listed the bank as one of its latest victims on its leak site and claims to have gained access to both private and personal data, as well as client and employee documents. 

Passport information and confidential contracts were also noted among the list of data seized during the incident. 

Globacaja confirmed the attack in a statement on June 2nd, but insisted that it had not affected customer or client accounts. 

The bank added that it "activated security” protocols designed to mitigate the impact of a potential breach.

“From the very beginning, at Globalcaja we activated the security protocols created for this purpose, which led us to disable some office posts and temporarily limit the performance of some operations,” the company said. 

“We continue to work hard to finish normalizing the situation and are analyzing what happened, prioritizing security at all times.”

Globalcaja serves more than half a million customers across Spain and employs over 1,000 staff. At present, it is unclear whether Globalcaja has engaged with the group or paid ransom demands.

Martin Mackay, CRO at Versa Networks said the attack aligns with a long-standing trend of ransomware groups targeting financial institutions due to the volume of critical data they hold and process. 


Orange webinar screen with title and image of magnifying glass with chart and graph icons inside

(Image credit: Cloudflare)

How applications are attacked

Key attacks that organizational security postures must account for in 2023


“Whilst it’s unknown if Globalcaja has paid Play’s ransom demands, the most important thing in this situation is to not give in to any demands. Paying the ransom is no guarantee that stolen data will be returned or not leaked, and it only fuels further cybercriminal activity,” he said. 

“The finance sector is an attractive target for ransomware attacks because of the sheer volume of data and critical services managed by financial institutions. Targeting client information and threatening to leak data can not only result in financial damage, but also jeopardize the values and the reputation of the bank.”

Recurring attacks by Play ransomware

This marks the latest in a string of high-profile attacks conducted by the Play ransomware group, which rose to prominence in mid-2022. 

The group has previously claimed responsibility for a highly disruptive attack against Rackspace earlier this year that led to the exposure of sensitive data including passport information, confidential contracts, and student IDs. 

Play was also the group behind ransomware attacks on the German hotel chain, H-Hotels, and the State of New York (SUNY) Polytechnic college last year. 

The group has traditionally targeted organizations across Latin America, according to analysis from Avertium. However, it also has a track record of deploying attacks on companies operating in India, Hungary, the Netherlands, and Spain. 

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at, or on Twitter and LinkedIn.