EAJ-PNV, the Basque nationalist coalition, is demanding direct political accountability from EH Bildu’s Aizpea Otaegi, the mayor of Errenteria, over a leaked internal document exposing systemic failures in municipal cybersecurity protocols. The document, obtained by local activists, reveals unpatched vulnerabilities in the city’s OAuth 2.0-based civic service portal—used by 80% of residents—allowing unauthorized access to sensitive data. Why? Because Errenteria’s tech stack, a hybrid of open-source Drupal and proprietary Basque regional software, was never stress-tested against modern OWASP Top 10 threats. The fallout? A real-world case study in how municipal governments, despite GDPR compliance, remain soft targets for credential stuffing attacks.
The Leak: A Case Study in Municipal Cybersecurity Neglect
The breach wasn’t a zero-day exploit—it was a stale credential attack leveraging a 2022 CVE in Drupal’s RESTful Web Services module, which Errenteria’s IT team knew about but failed to patch due to “resource constraints.” The document, titled *”Informe Técnico de Vulnerabilidades en Plataformas Ciudadanas”* (Technical Report on Civic Platform Vulnerabilities), was shared internally in February but only surfaced publicly after EAJ-PNV filed a formal complaint with the Basque Data Protection Authority. The kicker? The city’s ISO 27001-certified security framework explicitly required quarterly vulnerability scans—none were conducted in 2025.
What This Means for Municipal IT Budgets
Errenteria’s $1.2M annual cybersecurity budget is nowhere near enough to cover the cost of SIEM integration or automated threat analysis. The city’s reliance on a custom-built Basque-language civic portal—developed in-house using PHP 7.4 (yes, really)—means even basic asset discovery tools like Amass flagged 47 subdomains with exposed server-status pages. The document’s author, a former municipal CTO, called it a “textbook example of security theater.”
“They spent €500K on a Basque AI ethics panel but couldn’t afford a Tenable.ot scan. That’s not a cybersecurity strategy—that’s a public relations strategy.”
The Broader Tech War: How This Exposes the Flaws in “Open-Source Municipalism”
Errenteria’s predicament isn’t unique. Across Spain, FSFE-backed municipal governments have embraced open-source stacks—Nextcloud, Docker, and PostgreSQL—but failed to account for the hidden costs of customization. The Basque regional government’s GitHub repository shows 127 forks of open-source tools, each modified for local compliance. The problem? No security patches are applied to forks unless the original maintainer does so—and when you’re patching EOL PHP, that’s a non-starter.
The 30-Second Verdict: Why This Matters Beyond Basque Politics
- Platform Lock-In: Errenteria’s custom portal is now a technical debt sink. Migrating to a modern stack (e.g., Drupal 10) would cost €800K—more than the city’s entire cybersecurity budget.
- Open-Source Illusion: “Open-source” ≠ “secure.” The city’s reliance on unmaintained forks is a supply chain risk waiting to happen.
- Regulatory Arbitrage: GDPR fines won’t cover the reputational damage. The EU’s Cybersecurity Act now requires mandatory vulnerability disclosure—Errenteria’s delay could trigger a €20M penalty.
Under the Hood: The Technical Failure Mode
The breach exploited a chained vulnerability:
- CVE-2022-4112 (Drupal RESTful Web Services) allowed session hijacking via CSRF.
- A misconfigured Nginx auth_request module bypassed 2FA.
- The city’s PostgreSQL superuser credentials were hardcoded in a config file (yes,
git blameconfirms it was committed in 2020).
The attack vector? A credential stuffing bot scraping Have I Been Pwned for Basque email patterns. The data exfiltrated included GDPR-protected records for 12,000 residents.
| Vulnerability | Exploit Mechanism | Patch Status | Mitigation Cost |
|---|---|---|---|
| CVE-2022-4112 | CSRF → Session Hijacking | Unpatched (Drupal 9.5 EOL) | €50K (upgrade to Drupal 10) |
Nginx auth_request misconfig |
2FA Bypass via X-Forwarded-For spoofing |
Unpatched (custom rule) | €15K (rewrite auth module) |
| Hardcoded PostgreSQL creds | Direct DB access via exposed config | Unpatched (still in repo) | €30K (secret management overhaul) |
Expert Take: Why This Isn’t Just a Local Problem
“This is the canary in the coal mine for municipal open-source adoption. Cities think they’re saving money by customizing FOSS, but they’re actually amplifying risk. The moment you fork, you’re on your own—and if you’re not a security expert, that’s a death sentence.”
The Ecosystem Fallout: Open-Source Communities vs. Municipal Realpolitik
The leak has two immediate consequences for the open-source ecosystem:
- Trust Erosion: Basque developers are now questioning whether FSF-endorsed tools are truly “safe” without enterprise support. The Basque Gov GitHub has seen a 30% drop in contributions since the report’s release.
- Vendor Lock-In: Proprietary players like Siemens Teamcenter are pitching “turnkey” municipal solutions—despite costing 3x more. The message? “Open-source saves money… until it doesn’t.”
The real victim? Third-party developers building on Errenteria’s API. The city’s undocumented civic API—used by 47 local apps—now has no SLA for uptime or security patches.
The 90-Day Roadmap: What Errenteria Should Do (But Won’t)
- Immediate: Deploy Cloudflare Access as a WAF (€20K/year).
- Short-Term: Migrate to Drupal 10 + Keycloak for auth (€800K).
- Long-Term: Adopt Cisco Firepower for SIEM (€500K/year).
The catch? The Basque regional government’s 2026 cybersecurity budget allocates zero for municipal patches. This isn’t a tech problem—it’s a political one.
The Takeaway: Lessons for Cities (and CISOs) Everywhere
Errenteria’s breach is a microcosm of a global trend: governments are prioritizing digital transformation over cyber hygiene. The lesson? Open-source ≠ secure, customization ≠ innovation, and compliance ≠ competence. For CISOs in similar situations:
- Audit your forks. Every custom modification is a supply chain risk.
- Assume breach. Errenteria’s data was exposed for six months before detection. Your SIEM better be real-time.
- Budget for failure. The cost of a breach (€20M GDPR fine + €5M reputational damage) dwarfs the €1.2M spent on “security.”
The hard truth? Municipal cybersecurity isn’t about tools—it’s about politics. And in Errenteria, the politicians just got burned.
