Endesa and its regulated energy supplier EnergÃa XXI have confirmed a serious security incident on their trading platform This breach has allowed an attacker to access sensitive information from a significant portion of its customer base. Although the company insists that passwords have not been compromised, the leak includes personal and financial data that is highly valuable for potential fraud.
The incident has generated concern among millions of users in Spain, as the cybercriminal who claims responsibility for the attack asserts that he extracted over 1 TB of information linked to some 20 million peopleWhile Endesa maintains that no fraudulent use of this data has been detected so far, experts warn that the real risk could persist over time and affect both the privacy and the finances of customers.
How the cyberattack happened and what Endesa has acknowledged
According to a statement from the company itself, Endesa EnergÃa and EnergÃa XXI detected a unauthorized and illegitimate access to your trading platformThe company, which manages electricity and gas contracts, customer data, and payment methods, admits that the attacker managed to breach its defenses and access, and even exfiltrate, information stored on its systems.
In the emails sent to those affected, the electricity company explains that the malicious actor would have had access to basic identifying data (name and surname), contact information, national identity card numbers, and details related to energy contracts. Furthermore, in a significant number of cases, the following information was allegedly compromised: payment methods such as the IBAN code from the bank accounts associated with the receipts.
The company does insist, however, that Customer login credentials and passwords have not been exposedIn other words, the stolen information would not allow direct access to users' private areas, but it could be used for other types of fraud, something that particularly worries specialized agencies.
From the moment the intrusion was detected, Endesa claims to have activated its protocols and technical security measures To contain the incident, block compromised access points, and strengthen monitoring of its systems, the company also stated that it has analyzed activity logs to trace the attacker's actions and is continuously monitoring the infrastructure for any additional anomalies.
In its communications, the company maintains that it considers "unlikely" that the incident will result in a high risk for the rights and freedoms of customers. However, it acknowledges that unauthorized access could facilitate identity theft, dissemination of data on digital forums, or its use in phishing and spam campaigns.
What data has been leaked and why is it so sensitive
The information that has emerged through specialized media and Endesa's own statement points to a especially delicate filtrationThe attacker allegedly gained access to a massive database containing, among other things, the following types of information:
- Personal details: names and surnames, telephone numbers, email addresses, postal addresses and other contact information.
- Identification documents: ID numbers and, where applicable, other official identifiers associated with the energy contract.
- Contractual information: data relating to electricity and gas contracts, account history, changes of ownership, supply conditions or incidents.
- Energy data: CUPS codes (unique supply point identifier), supply point details and active contracts.
- Financial informationIBAN, billing information, account-person relationship and, in some cases, bank account modification history.
- Regulatory data: references to Robinson Lists, exempt accounts or records of regulatory incidents.
Media outlets such as Escudo Digital, which accessed some of the material, maintain that The level of sensitivity of the information is "extreme".The cybercriminal even went so far as to share real data from a journalist to prove that the database was authentic and up-to-date, including recent domestic use contracts.
The combination of personal, identification, and banking data implies a ideal scenario for targeted fraud attemptsWith a name, ID number, address, and bank account number, it is possible to set up very credible scams, from contracting services in the victim's name to impersonating financial institutions or public bodies, as well as carrying out highly personalized phishing campaigns.
Although, as the company emphasizes, the passwords have not been exposed, quality and quantity of filtered information This is enough for an attacker to "build" the identity of many people and use it for criminal purposes, something that experts and authorities have been warning about for some time in the context of the massive digitization of essential services.
The hacker "Spain": 1 TB of data and pressure on the company
The perpetrator of the attack goes by the alias of "Spain" and has become known through dark web forums. According to what he has posted, he has managed over 1 TB of information in .sql format which would contain around 20 million customer records related to Endesa EnergÃa and EnergÃa XXI.
The cybercriminal claims he succeeded access the systems and extract the information in less than two and a half hoursThis information, if true, would point to a significant vulnerability in the configuration or security of the commercial platform. To support his claim, he even published a sample of data from 1.000 clients and shared concrete examples with specialized journalists.
Spain maintains that it initially tried sell the database to the highest bidderbut that he subsequently tried to contact the company directly to negotiate a supposed "rescue." He claims to have sent emails to different Endesa addresses without receiving a response and states that has received offers from third parties of up to 250.000 euros for the informationalthough he says he hasn't closed any sales yet.
The attacker uses an openly defiant tone. In his messages, he reproaches the company for "not caring about its customers" and warns that if he doesn't get a response, will publish more data to increase the pressure. It even recalls previous sanctions against the company to underscore the potential reputational and regulatory impact of the incident.
For now, there is no record of a date being set. specific ransom figure in the negotiations, nor has Endesa publicly acknowledged any direct contact with the attacker. The company merely states that the internal investigation is ongoing and that it is cooperating with its technology providers and the relevant authorities to clarify what happened.
Official response from Endesa and customer support options
In the email sent to those affected, Endesa emphasizes that the Protecting the privacy and security of personal data is a priority The company has chosen to communicate the incident transparently. It explains that, after detecting evidence of unauthorized access, contingency plans were activated to close the breach and strengthen security on the platform.
The measures described include the immediate blocking of compromised access users, the detailed analysis of access logs, the improvement of internal controls and the implementation of additional technical and organizational actions to reduce the likelihood of a similar attack occurring in the future.
Endesa has also notified the incident to the competent data protection authoritiesThis includes the Spanish Data Protection Agency (AEPD), fulfilling its legal obligations to report breaches affecting personal data. The investigation, it explains, is ongoing both internally and with the technology providers involved.
The company emphasizes that, at the time of notification, There is no evidence of fraudulent use of the stolen information. And that, based on its initial assessment, it considers it unlikely that the incident will translate into a very high risk for those affected. Nevertheless, it acknowledges that the malicious actor could attempt to impersonate individuals, disseminate the data online, or use the information for mass phishing or spam campaigns.
To resolve doubts and address potential issues, the electricity company has enabled dedicated telephone lines for assistance: 800 760 366 for Endesa EnergÃa customers (free market) and 800 760 250 for EnergÃa XXI customers (regulated market). In addition, it provides an email address to contact its Data Protection Officer for more detailed queries about the processing of personal information.
Real risks: fraud, phishing and identity theft
Beyond the guarantees offered by the company, cybersecurity experts warn that a leak of this magnitude entails very specific risks for userswhich can materialize immediately or develop over months, even years.
One of the clearest dangers is the use of information to highly customized phishing campaignsCybercriminals can send emails, SMS messages, or instant messages impersonating Endesa, banks, or other service providers, using real data (name, address, account number, approximate invoice amounts) to gain credibility.
These messages typically include links to fake websites These scams mimic the company's design or include documents that appear to be invoices or official communications. In reality, the goal is to steal passwords, obtain more sensitive information, or infect devices with malware that allows deeper access to the victim's accounts.
Another important risk is identity theft to contract services or carry out financial transactionsWith a real ID, contact details and account number, criminals can try to take out loans, lines of credit, insurance or other products in the name of the victim, especially in those services where verification controls are more lax.
Experts also point out that bank details, such as the IBAN, can be used to attempting to set up direct debits or carry out unauthorized transactionsWhile banks allow for the return of incorrect payments, it is essential to frequently review transactions to detect any anomalies as soon as possible and be able to file a claim.
Beyond the guarantees offered by the company, cybersecurity experts warn that a leak of this magnitude entails very specific risks for userswhich can materialize immediately or develop over months, even years.
What customers should do: practical tips
Faced with a breach of this kind, recommendations for users go beyond simple concern. Organizations such as INCIBE, consumer associations, and cybersecurity companies agree on a series of basic digital self-protection measures which should be applied without delay.
- Be wary of unexpected communications that appear to be from Endesa, banking entities or other companies and that ask for personal data, passwords, codes or urgent payments.
- Do not click on links or download attachments of suspicious emails, SMS or WhatsApp messages, even if they contain real contract or account information.
- Always verify through official channels. (verified company or bank phone numbers and websites) any suspicious communication before providing information or making payments.
- Check your bank accounts frequently and the statements to detect unauthorized charges or direct debits and, if found, report them to the bank immediately.
- Save emails and communications received from Endesa regarding the incident, as they may serve as evidence in the event of claims or complaints.
- Consider enabling two-step verification in the main online services (email, digital banking, social networks, etc.) to add an extra layer of security.
- Change old or duplicate passwords, although in this case they have not been filtered, and opt for robust and unique combinations for each service.
- Consult services such as Have I Been Pwned to check if the email or other data has appeared in previous leaks.
Experts like computer engineer Deepak Daswani point out that Exposure to attempted fraud is virtually universal And that incidents like the one at Endesa are not isolated events, but part of a growing pattern. Sancho Lerena, CEO of Pandora FMS, emphasizes that many attacks not only seek to steal data, but also to obtain ransom payments or sow chaos and distrust among the population, especially when they affect essential services like energy.
The security firm ESET emphasizes that the true impact of a data breach can extend far beyond the first few days. The stolen information is reused in fraud campaigns conducted over long periodsTaking advantage of customers' prior trust in the affected brand. That's why they recommend remaining vigilant in the medium and long term, not just when the breach is reported.
A problem that goes beyond Endesa: a rise in cyberattacks on the energy sector
The Endesa case is part of a upward trend in cyberattacks against critical infrastructure and large companies in Spain and the rest of Europe. Data from the National Cybersecurity Institute (INCIBE), analyzed by the Spanish technology company Pandora FMS, indicates a 43% increase in incidents targeting essential sectors in the last year.
Within those sectors, the energy sector accounts for around 9% of the recorded incidents, a particularly relevant figure that connects with analyses on how the electricity sector acts as a refuge in stock market crashes.
In the last times, Several companies listed on the Ibex 35 have acknowledged cyberattacks resulting in data leaksservice disruptions or extortion attempts, including those against Iberdrola, Repsol, Iberia or Banco Santander, which has affected the electrical values.
Experts warn that many of these attacks are facilitated by failures in network segmentation, inadequate access controls, and insufficient knowledge of the technological infrastructure itselfThe reliance on external services without thorough oversight and the lack of qualified internal staff are also weaknesses that attackers frequently exploit.
In this context, monitoring and observability solutions such as those offered by Pandora FMS enable continuously monitor systems, networks, and applicationsDetecting anomalous behavior and anticipating unauthorized access. The use of artificial intelligence to identify unusual patterns or configuration errors is becoming increasingly common, precisely because many incidents are not only due to external breaches, but also to internal failures within the organizations themselves.
In light of the cyberattack on Endesa, it is clear that Investment in cybersecurity is no longer a mere expense, but a structural necessity To protect service continuity, customer confidence, and the stability of the economic system. The massive management of data and the increasing digitization of processes amplify the attack surface, and criminals are learning to exploit it.
The incident suffered by Endesa shows the extent to which a single illegitimate access can compromise personal, financial and regulatory data of millions of usersand how that material can end up in the hands of criminals willing to exploit it. While the official investigation continues and the company tries to contain the impact, customers are forced to strengthen their own digital defenses and be especially vigilant against any attempt at deception that uses their relationship of trust with their energy supplier as bait.
