What happened
A ransomware attack disrupting operations at Spain’s Port of Vigo forced authorities to disconnect parts of the port’s network and shift some cargo processes to manual handling. Port officials said the attack was detected early Tuesday and affected computer servers used to manage cargo traffic and other digital services at the major fishing port in Galicia. Officials told local media that some equipment was locked and that the incident involved a ransom demand. In response, the port authority’s technology team isolated affected systems from external networks to contain the impact. Carlos Botana, president of the port, said systems will not be reconnected until security teams are certain the network is safe. He also said there is currently no estimated timeline for restoring normal digital operations.
Who is affected
The direct impact falls on Port of Vigo operations, particularly digital services used for cargo traffic and logistics coordination. Physical operations, including ship movements and cargo handling, are continuing, but some operators have been told to rely on manual procedures and paper documentation.
Why CISOs should care
This incident matters because a ransomware attack on a major port disrupted the digital systems that support logistics coordination without stopping physical operations entirely. For CISOs, it highlights the operational strain that follows when critical infrastructure must isolate networks and fall back to manual processes while recovery timelines remain uncertain.
3 practical actions
- Validate manual fallback capacity: Confirm that critical logistics and coordination workflows can continue through manual procedures and paper documentation when digital systems are taken offline.
- Set reconnection thresholds in advance: Establish clear technical and leadership criteria for when isolated systems can be safely reconnected after a ransomware event.
- Scope digital dependency in port operations: Review which operational services rely on networked platforms so disruption can be contained without halting all physical activity.
For more coverage of major incidents and threat activity, explore our reporting on Cyberattacks.