National Cybersecurity Agency escalates alert amid ransomware attack on Avinguda Meritxell mall, disrupting

Andorra's National Cybersecurity Agency (ANC-AD) has raised the national cyber alert level from "high" to "very high" after confirming that a major shopping centre on Avinguda Meritxell suffered a ransomware attack, likely by the AKIRA group, which encrypted much of its IT systems. The agency announced the escalation on Monday, citing serious security incidents across multiple entities over the past two days amid rising network scans and exploited vulnerabilities targeting Andorran organisations.

The shopping centre, which has no legal obligation to report the breach, initially informed ANC-AD informally on Monday through unofficial channels. It formally notified the agency on Tuesday, prompting ANC-AD to deploy resources for recovery support. Police and the Data Protection Agency (APDA) were also made aware via complaints from affected customers and suppliers concerned about exposed personal data linked to loyalty cards, including bank details and vehicle registrations for parking payments. ANC-AD has warned critical infrastructure operators to boost monitoring of VPN and RDP access, disable unnecessary remote logins or secure them with multi-factor authentication, update firewalls, and scan for signs of lateral movement or tampered backups.

The attack intensified early Friday, crippling loyalty card functions and causing payment glitches, untracked points, app balance errors showing zero euros, and open parking barriers. Spanish business owners reported delays retrieving vehicles due to billing failures, with staff blaming a generic "technical issue" and resorting to backup card readers. Suppliers faced processing backlogs, while some customers struggled with subscriptions or balance checks.

Technicians worked through the weekend on partial fixes, but full automated services are not expected until the end of this week at earliest, with manual operations creating delays. The company has assured regulators that, beyond reputational damage, customer inconvenience, and financial losses, no further impacts are known so far—though ransomware cases like this often delay confirmation of data exfiltration. Customers have voiced frustration over poor communication and data security fears, with some questioning if open barriers signal a cyber breach.

ANC-AD describes AKIRA, active since 2023 as a Ransomware-as-a-Service group, as highly sophisticated in double extortion tactics—encrypting data, stealing it for leak threats, and erasing traces to evade forensics. Officials emphasise the alert addresses a wider threat environment, including activity in Spain and France, rather than isolated cases. Investigations continue, with no details yet on breach scope or other victims.