In 2026, organizations in Colombia face an average of 2,803 weekly cyberattacks, with potential losses up to US$6.3 million per incident. Recent data leaks via third-party providers have exposed sensitive information from BBVA and Nubank clients, as well as from entities like Supersalud and Dian. Experts warn about the vulnerability of these weak links in the security chain.
Colombian organizations report an average of 2,803 weekly cyberattacks in 2026, according to ERC Colombia data. In the first half of 2025, more than 7.1 billion cyberattack attempts were recorded. A Superintendencia de Industria y Comercio report reveals that 60% of organizations lack sufficient data protection measures, despite Ley 1581 of 2012.
In April, a cyberattack on a debt collection provider leaked data from BBVA and Nubank clients, including names, IDs, phones, and debt amounts, though not passwords or financial products. The Superintendencia Nacional de Salud confirmed unauthorized access to its Superargo system, affecting 1.6% of documentation related to complaints and claims. The Dian suffered an attack compromising information of 18 million people, such as IDs and phone numbers.
"What we are seeing is an evolution toward high-precision frauds," said Óscar Díaz, CCO of ERC Colombia. Oscar Rodríguez of Veracode noted: "Colombia has advanced in digitalization, but that fragmentation expands the attack surface." Cybercriminals now target third parties with weaker controls.
Consequences include losses up to US$6.3 million per event, disruptions over 36 hours, and fines up to 2,000 minimum wages. In Colombia, a third of organizations are affected by third-party vulnerabilities, which account for up to 64% of global incidents.
