The tourism sector in southern Gran Canaria faces a new scenario of extreme digital vulnerability after a security breach was revealed that directly affects the island's main accommodation operator. A group of cybercriminals operating under the Trezor threat actor has claimed responsibility for a large-scale cyber intrusion against the computer systems of Lopesan Hotel Group. The international cyber alert, initially intercepted by global digital risk monitoring platforms such as Hackmanac, points to the illicit theft of a massive volume of documents that compromises the confidentiality of thousands of international clients who booked stays at the Canary Islands corporation's four- and five-star hotels in Meloneras and Maspalomas.
The massive data breach perpetrated by cyber attackers consists of an indexed registry containing a total of 27.629 individual guest records. The inventory of compromised documentation on hotel servers includes critical fields of personal and residential information for users, including their full names, operational email addresses, ages, exact travel dates, and country codes. The hack also reveals internal logistical details of the hotel operations of the multinational tourism company in the south of the island, such as room numbers assigned to guests, language preferences, specific lengths of stay, and confidential information about specific treatments received at the group's health and wellness resorts.
The cybersecurity incident was officially registered in the company's IT intelligence networks on Monday, May 11, 2026, initiating a critical period of technical analysis. The current status of the case is "pending official verification" by the company's IT auditors. Digital risk assessment tools have assigned this cyberattack an ESIX technical severity score of 5.04, a medium-to-high impact metric that highlights the vulnerability of the hack, which simultaneously exposed identifying data along with consumer and health profiles of tourists. The dissemination of these operational patterns facilitates the creation of targeted fraud campaigns or identity theft against high-income European visitors to the San Bartolomé de Tirajana coastline.
The technological vulnerability revealed by this cyberattack places Lopesan Hotel Group in a potentially precarious legal and regulatory situation with the Spanish Data Protection Agency (AEPD) if a breach of the security measures required by the European Union's General Data Protection Regulation (GDPR) is conclusively confirmed. The hotel corporation is now compelled to implement a digital forensic audit protocol to pinpoint the source of the intrusion into its central databases and determine whether the unauthorized access was carried out through direct booking portals, third-party payment gateways, or via phishing attacks targeting employees of the hotel group.
The IT system failure at the tourism giant in southern Gran Canaria has disrupted the loyalty campaign and damaged the commercial reputation of the Maspalomas Costa Canaria tourist destination amidst a heated debate about digital modernization and the resilience of the archipelago's critical infrastructure against cybercrime. Full details of the stolen data and the sectoral impact assessment remain under restricted analysis on specialized corporate cyber risk management platforms. This incident underscores the urgent need for hotel chains in the islands to increase their budgets for data protection and firewalls in the face of a type of cyberattack that no longer distinguishes between global financial corporations and the reservation systems of the Canary Islands' economic engine.
