Hacking in Spain

Hacking someone’s social‑media account in Spain is taken very seriously. Below I’ve put together a clear, practical summary of the criminal lawtypical penalties, and what you should do right away (reporting, evidence, civil remedies, and data‑protection options). I’ll cite Spanish sources for the most important legal points.

1) Which criminal laws apply (short version)

  • Unauthorized access to accounts / systems is criminalised by Article 197‑bis of the Spanish Penal Code (acceso ilícito a sistemas informáticos). It covers accessing protected computer systems or data without permission even when no data is altered. Iberley+1
  • Discovery, interception or disclosure of secrets / private communications (e.g., reading someone’s private messages, emails, DMs) falls under Article 197 and related paragraphs (delito contra la intimidad / descubrimiento y revelación de secretos). Penalties increase if the data is transferred, published or used. Sherloc+1
  • Non‑consensual distribution of intimate images (revenge porn / sharing private sexual images) is separately criminalised (see Article 197.7 and related subsections) with specific prison/fine ranges. Better Internet for Kids

(There are also provisions that can make legal persons liable and aggravating circumstances where penalties are higher.) Osborne Clarke

2) Typical penalties (what to expect)

  • Penalties depend on the exact offence and aggravating facts (disclosure, public dissemination, minors, profit motive, organised groups). Sentences commonly range from fines to several years’ imprisonment for serious cases (multiple sources summarise prison terms and fines for Articles 197 / 197‑bis). If private material is published or shared, penalties rise. Sherloc+1

3) What to do immediately if your account has been hacked (practical steps)

  1. Secure your accounts
    • Change passwords on other accounts that use the same password. Enable two‑factor authentication (2FA).
  2. Collect and save evidence (do this before deleting anything):
    • Screenshots of unusual activity, messages, posts, or settings changes; login history (platform shows recent login locations/devices); any phishing emails; URLs; timestamps. Store copies offline.
  3. Report to the platform (Facebook/Instagram/X/Twitter, WhatsApp, etc.) using their “report hacked account” process — social platforms will often restore control or remove content faster than courts.
  4. File a criminal complaint (denuncia) with Spanish police: Policía Nacional (Unidad de Investigación Tecnológica — UIT) or Guardia Civil (Grupo de Delitos Telemáticos). You can file online via Spain’s police telematic complaint portals (Denuncia Telemática), or go to a station in person. Report quickly — rapid reporting helps investigations. denuncias.policia.es+1
  5. Notify the AEPD (Agencia Española de Protección de Datos) if personal data have been exposed — the AEPD handles data‑protection complaints and can require removal or investigate breaches under GDPR. There are forms and guidance for data‑breach notification. AEPD+1
  6. Consider specialist help — a cyber‑forensics expert can extract logs and build evidential packets for police or lawyers. Also consider a lawyer experienced in cybercrime/privacy for urgent injunctions (e.g., to take down content or stop distribution) and civil claims for damages.

Sources on reporting and procedures: Guardia Civil / Policía Nacional telematic reporting pages and practical guides explain these steps. web.guardiacivil.es+1

4) Criminal vs civil routes — what each can do

  • Criminal complaint triggers a police investigation and possible prosecution (evidence permitting). Criminal law can lead to prison sentences, fines, seizure of devices. Iberley+1
  • Civil action can aim for injunctions (court orders to remove content), compensation for damages, and moral‑damage claims. A civil case can be pursued in parallel with criminal proceedings. Legal advice is recommended.

5) Evidence tips (what police and prosecutors want)

  • Export login histories/screenshots from the platform showing suspicious IPs, devices, or locations.
  • Preserve original copies of messages/posts and any emails from the platform about the compromise.
  • Note dates/times and any chain of events (phishing link clicked, suspicious app installed).
  • If you suspect a specific person, document any links between that person and the hacking (threats, access to your devices, shared passwords, etc.).

6) Data protection (GDPR / AEPD)

  • If your personal data are processed unlawfully (published, shared or misused), you can file a complaint with the AEPD; they can investigate and impose administrative fines separate from criminal penalties. The AEPD also offers urgent content‑removal procedures in some cases. AEPD+1

7) Practical checklist you can follow now

  •  Change passwords and enable 2FA on all important accounts.
  •  Screenshot everything suspicious (posts, messages, login history). Save copies offline.
  •  Report the hack to the social platform (use their “hacked account” flow).
  •  File an online denuncia with Policía Nacional / Guardia Civil (telematic form) and include the evidence. denuncias.policia.es+1
  •  If intimate images were shared, mention Article 197.7 in your complaint and ask for urgent removal. Better Internet for Kids
  •  Consider contacting a cyber‑forensics specialist and a lawyer.
  •  If you think many of your personal data were exposed, consider filing a complaint with the AEPD. AEPD

Final notes and quick legal reality check

  • Hacking/social‑media account compromise is both a privacy/data issue and a computer‑crime issue under Spanish law. The state can press criminal charges if evidence supports it (Article 197, 197‑bis and related sections). Sherloc+1
  • Acting quickly — collecting evidence, filing the denuncia, and notifying the platform — increases the chance of content being removed and investigators tracing the attacker. Bitdefender+1

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.