The hack surprised everyone. It was eleven o’clock at night on May 17, 2016. And suddenly the Twitter profile of the Mossos d’Esquadra Union (SME) began to write something surprising. “Mosos is on strike! We are tired of serving the powerful and fighting the people,” read the first tweet. Several followed in the same style with a declaration of “re-establishment” of the union. At 11:23 p.m., the worst part of the computer attack was complete: the dissemination of the personal information of more than 5,400 Mossos d’Esquadra. Names, addresses, telephone numbers and even bank details were published. Six years later, the investigation into the case is closed. Three people, including two engineers, a man and a woman, who were then a couple, stand a step away from the bench. There is still no trace of Phineas Fisher, the hacker who claimed responsibility for the attack.
“The only proven thing is that they had a proxy” (a server that makes it possible to anonymize surfing on the Internet), criticizes lawyer Carlos Sánchez Almeida, who specializes in such cases and defends the engineers. These were installed in Barcelona and had the public proxy at home so anyone could use it to connect to the network. In the complex case, the Mossos accredited at least two breaches into the SME server on May 8th and 16th from this proxy, prior to the hack that occurred on May 17th. “We condemn the attack and what it entailed, but our customers are innocent,” reiterates Sánchez Almeida, adding that after their phones were tapped, they were detained and all their computer equipment was accessed, “no evidence was found.” that they communicated with Phineas Fisher,” other information directly incriminating them.
Various cyber attacks have been alleged under the pseudonym Phineas Fisher. The one who had made the hacker famous had been the Italian company Hacking Team a year earlier. Then it turned to selling security programs to governments and corporations. Phineas Fisher also claimed responsibility for the attack on the Mossos union and said he did so after watching Ciutat Morta’s documentary about alleged misconduct by the Barcelona Urban Guard in arresting some young people after a local police officer became a quadriplegic when a blunt object fell on his head after an eviction. The hacker also mentioned other controversial cases, such as that of Ester Quintana, who was mutilated in one eye by a Mossos ball, or that of businessman Juan Andrés Benítez, who died after being overwhelmed by the Catalan police. After the arrest of the three defendants, Phineas Fisher wrote to various media on January 31, 2017, making it clear that he was still at large. And since then, several attacks have been carried out under his brand.
“We don’t know if it’s Phineas Fisher or not, but they had active involvement and knowledge of the facts,” says SME lawyer Josep Lluís Ribera. According to the cops uncovered with the leak, the union was the main victim of the hack. “It was a blow to membership, the union’s reputation and also the cost of restoring computer security,” says Ribera. More than 200 agents are present as private prosecutors in the case, and some are calling for the union to be held subsidiary to civil liability for the breach of their personal information if the case is finally cleared of convicts. “The level of hacking was very high,” says Ribera, who claims the union responded as best it could. The hacker did not access the entire server, but a campus-specific part of the courses offered. And he defends that they had the “proper” defense. “In a matter of minutes, control was regained over the server from which they extracted no data,” he claims.
“Both have lost their jobs,” regrets lawyer Simone Ordinas, who is also involved in defending the engineers. The arrests and charges turned her life upside down. Added to this was the uncertainty of a six-year investigation. “She didn’t even know she had a proxy installed in her house,” regrets the lawyer, who recalls that having a proxy is not a crime. “It’s a bit ridiculous and rude to bench two engineers because they have a deputy at home,” he laments. The lawyer also adds another complaint about the third defendant: a Catalan resident in Salamanca. The Mossos investigations claim that the Mossos data was disseminated from his Twitter account and via the IP of his home country. In this case, when the police searched their computer equipment, they found child pornography. Ordinas criticizes that the charges for this crime are mixed up with the rest. “It intends to damage the image of our customers,” adds Sánchez Almeida.
The prosecutor’s indictment is still pending, as is the KMU itself, which is finalizing the indictment. There are other allegations in the case as well, such as that of the USPAC union, which filed it as a public prosecution. And also those of dozens of Mossos who are individually claiming damages.
What affects most is what happens next. Subscribe so you don’t miss anything.
Subscribe to
Follow EL PAÍS Catalunya on Facebook and Twitteror sign up here to receive our weekly newsletter