Threat Intelligence 5 min read

Why Small Businesses are Targets on the Dark Web: The Case of a Spanish Insurance Company

We often think that only large corporations suffer data breaches. However, a recent incident in underground forums shows that size does not matter when it comes to valuable information, and proactive monitoring is essential for everyone.

Notmining Research Team

The Dark Web finding

Recently, through our Global Threat Intelligence capabilities, we detected a post on a well-known cybercrime forum where a threat actor under the pseudonym albmstwntd put up for sale a complete database belonging to a small insurance company in Spain.

Obfuscated screenshot of the Dark Web forum showing the database sale
Forum post (actor and contact details obfuscated for security).

The announcement clearly specifies the target: "SPANISH SMALL INSURANCE COMPANY". Despite being labeled as "small", the volume and sensitivity of the compromised data are alarming.

Impact analysis

According to the details provided by the attacker, the leak includes:

  • More than 90,000 affected clients.
  • A CSV file with more than 110,000 lines containing: Full name, ID, Postal address, Mobile phone and bank accounts (IBAN).
  • A complete dump of the original database (SQL Server .bak) with a size of 50GB, suggesting there could be much more confidential internal information, corporate emails or attached documents.

For cybercriminals, this information is pure gold. Complete banking and personal data allow for highly targeted phishing campaigns (Spear Phishing), identity theft for credit contracting, and direct financial fraud.

The company size myth

There is a false sense of security in small and medium-sized enterprises (SMEs). Many executives think: "We are too small, cybercriminals look for the big fish". This incident completely debunks that myth.

Modern attackers do not (mostly) operate manually by selecting their victims by brand name. They use automated tools that massively scan the Internet looking for vulnerabilities, misconfigurations, or leaked credentials. If your server has a breach, you will be attacked, whether you are a multinational or a local insurance brokerage.

The value is in the data

For a cybercriminal, 90,000 IBANs and IDs are equally monetizable regardless of whether they come from a large financial institution or a small agency.

The importance of proactive monitoring

When a 50GB database goes on sale, reputational damage and potential legal sanctions (such as GDPR) are already underway. The key is not finding out when clients start reporting fraud in their bank accounts, but being the first to know that the information is compromised.

This is where a robust Threat Intelligence strategy comes into play:

  • Early detection: Monitoring Dark Web forums, Telegram channels (OSINT), and Initial Access Broker (IAB) markets allows you to detect if your company or sector is being targeted before the damage multiplies.
  • Reducing the exposure window: If you know what data has been leaked, you can force password resets, notify affected customers to block fraud attempts, and quickly patch the source vulnerability.
  • Knowing the attacker: By analyzing the seller's profile, their tactics, techniques, and procedures (TTPs) can be mapped using frameworks like MITRE ATT&CK to understand how they gained entry and prevent future incidents.

At Notmining, our platform automates this surveillance. With advanced analysis capabilities, owned infrastructure discovery, and continuous tracking in the cybercriminal ecosystem, we provide companies of any size the visibility they need to protect their most valuable asset: their customers' data.

Related articles

Data Protection

Dark web & data leak monitoring: a technical guide

Leak types and triage workflows Learn more
Threat Intelligence

The role of Initial Access Brokers (IABs)

How they operate and why monitoring is vital Learn more
← Back to all articles