Lopesan Group Faces Second Major Data Exposure in Two Years
Gran Canaria’s largest accommodation operator, the Lopesan Group, is under investigation following a suspected security breach that may have exposed 27,629 customer records. The incident, detected on May 11, 2026, primarily affects guests of the company’s resorts in Meloneras and Maspalomas, two high-traffic tourist hubs in southern Gran Canaria.
The compromised data includes full names, email addresses, ages, stay dates, countries of origin, assigned rooms, language preferences, and services used details tied to routine hotel operations. Threat monitoring platforms assigned the incident an ESIX score of 5.04, categorizing it as a medium-high impact event.
This is not the first such incident for Lopesan. In July 2024, the company acknowledged a prior breach involving the extraction of more sensitive personal data, including passport numbers, signatures, and check-in/check-out records. While the current exposure appears less severe in terms of data sensitivity, both incidents involve stay-related customer information, raising concerns about persistent vulnerabilities in the group’s systems.
Investigators have yet to determine whether the breach stemmed from unauthorized access to central systems or a failure elsewhere in the infrastructure. Lopesan has announced plans for forensic analysis and technical audits to assess the full scope of the incident and identify its origin. The outcome will clarify whether the exposure resulted from a targeted intrusion or a systemic security gap.
Lopesan cybersecurity rating report: https://www.rankiteo.com/company/lopesan
"id": "LOP1780332157",
"linkid": "lopesan",
"type": "Breach",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '27,629',
'industry': 'Hospitality',
'location': 'Gran Canaria, Spain',
'name': 'Lopesan Group',
'type': 'Accommodation Operator'}],
'data_breach': {'number_of_records_exposed': '27,629',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'Medium-high (ESIX score of 5.04)',
'type_of_data_compromised': ['Full names',
'Email addresses',
'Ages',
'Stay dates',
'Countries of origin',
'Assigned rooms',
'Language preferences',
'Services used']},
'date_detected': '2026-05-11',
'description': 'Gran Canaria’s largest accommodation operator, the Lopesan '
'Group, is under investigation following a suspected security '
'breach that may have exposed 27,629 customer records. The '
'incident primarily affects guests of the company’s resorts in '
'Meloneras and Maspalomas. The compromised data includes full '
'names, email addresses, ages, stay dates, countries of '
'origin, assigned rooms, language preferences, and services '
'used. This is the second such incident for Lopesan, following '
'a breach in July 2024 involving more sensitive data.',
'impact': {'brand_reputation_impact': 'Medium-high (ESIX score of 5.04)',
'data_compromised': '27,629 customer records'},
'investigation_status': 'Under investigation',
'response': {'remediation_measures': 'Forensic analysis and technical audits'},
'title': 'Lopesan Group Faces Second Major Data Exposure in Two Years',
'type': 'Data Breach'}