What are you looking for?

In April 2023, the municipal government of a small town in Spain announced a financial aid program, offering €100 to each registered resident. While researching the voucher claiming system, I identified a significant design flaw that could be exploited to claim vouchers on behalf of other individuals. This vulnerability, leveraging identity theft via OSINT PII, required only a name and a national ID number—information readily accessible online through official documents despite being considered private. Political interests hindered the ethical disclosure process, leading to premature media exposure before the system could be patched, ultimately resulting in numerous residents losing their vouchers to digital criminals.