Lopesan Group Faces Second Major Data Exposure in Two Years Gran Canaria’s largest accommodation operator, the Lopesan Group, is under investigation following a suspected security breach that may have exposed 27,629 customer records. The incident, detected on May 11, 2026, primarily affects guests of the company’s resorts in Meloneras and Maspalomas, two high-traffic tourist hubs in southern Gran Canaria. The compromised data includes full names, email addresses, ages, stay dates, countries of origin, assigned rooms, language preferences, and services used details tied to routine hotel operations. Threat monitoring platforms assigned the incident an ESIX score of 5.04, categorizing it as a medium-high impact event. This is not the first such incident for Lopesan. In July 2024, the company acknowledged a prior breach involving the extraction of more sensitive personal data, including passport numbers, signatures, and check-in/check-out records. While the current exposure appears less severe in terms of data sensitivity, both incidents involve stay-related customer information, raising concerns about persistent vulnerabilities in the group’s systems. Investigators have yet to determine whether the breach stemmed from unauthorized access to central systems or a failure elsewhere in the infrastructure. Lopesan has announced plans for forensic analysis and technical audits to assess the full scope of the incident and identify its origin. The outcome will clarify whether the exposure resulted from a targeted intrusion or a systemic security gap.