In early January 2026, Spanish energy giant Endesa disclosed a significant data breach impacting millions of its customers. The breach, which affected customers linked to Endesa’s commercial platform, exposed sensitive personal and contract-related data, sparking concerns over potential identity theft, phishing attacks, and misuse of financial details. This cyberattack has not only put millions of customers at risk but also raised alarms over the growing threat of cybercrime within critical industries like energy.
Hackers Sell Stolen Data
According to multiple reports, hackers gained unauthorized access to Endesa’s systems, reportedly extracting a vast amount of personal information. Claims surrounding the breach have been circulating widely, with cybercriminals asserting that they have stolen a database containing data on over 20 million individuals. The attackers reportedly targeted sensitive information, including contact details, national identity numbers, contract-related information, and bank account numbers (IBANs).
A notable claim surfaced on underground cybercrime forums where the attackers allegedly offered the stolen data for sale. The database, according to the criminals, is around 1TB in size and includes SQL files from Endesa’s commercial platform. While there has been no official confirmation from Endesa regarding the sale of the data, experts have expressed concern over the authenticity of these claims, noting that such large data breaches often lead to stolen data being traded on the dark web.
Evidence of the Breach
Although Endesa has not directly acknowledged the sale of customer data, independent investigations have found evidence that aligns with the claims made by cybercriminals. A database containing millions of Endesa customer records reportedly appeared on dark web marketplaces, offering the stolen information to interested buyers. These records include not just personal details but also financial data, such as IBAN numbers, further raising concerns about potential fraud and phishing risks.
The authenticity of these claims remains uncertain, and Endesa has not provided specific details about how the data was exfiltrated or whether stolen credentials or a software vulnerability was involved in the breach. However, the presence of data for sale on the dark web has put additional pressure on the company to address the situation.
Endesa’s Response
Upon discovering the breach, Endesa swiftly activated its incident response procedures. The company blocked compromised accounts and launched an internal investigation to determine the full scope of the breach. While the company confirmed that customer passwords were not exposed, it acknowledged that other sensitive information—such as personal identification numbers and payment details—was compromised.
Endesa has notified the affected customers, urging them to remain vigilant for suspicious activity, particularly phishing emails or other attempts at impersonation. The breach was also reported to Spain's data protection authorities, in compliance with the General Data Protection Regulation (GDPR). Despite the company’s swift response, questions remain about the breach’s scale and the methods used by the attackers to infiltrate the system.
The Scale of the Breach
As of now, the full extent of the breach is still unclear. Endesa has yet to confirm the exact number of customers impacted, although the leaked data allegedly affects millions across Spain and Portugal. The company serves approximately 22 million customers in total, and while not all of them are believed to have been affected, the breach has still been described as one of the most significant security incidents to hit the energy sector in recent memory.
While some reports have suggested the breach could involve data from over 20 million individuals, it is difficult to verify the claims given the limited official information available. Endesa has refrained from disclosing further specifics on the scale of the data loss, citing the ongoing investigation.
What’s at Stake: Potential Implications for Customers
For those affected, the breach poses a significant risk of identity theft and financial fraud. The leaked data includes sensitive personal information such as national ID numbers, contact details, and IBANs—critical pieces of data that could be exploited by cybercriminals for impersonation, phishing scams, and even financial theft.
Endesa has advised its customers to be cautious of unsolicited emails, phone calls, or messages that request personal information. The company has also warned that phishing attempts and other malicious activities may increase in the wake of the breach.
Investigations and Legal Oversight
Authorities have been informed of the breach, and both Spanish law enforcement and the country’s data protection agency, the Agencia Española de Protección de Datos, are involved in the ongoing investigation. Under GDPR, Endesa is required to notify affected individuals and report the incident to the relevant authorities within 72 hours of detection. The company's transparency in reporting the breach and cooperating with investigators is a step toward minimizing potential damages.
However, there are still many unanswered questions about how the hackers gained access to Endesa's systems. It remains unclear whether this was due to a specific vulnerability in the company’s systems, stolen employee credentials, or a more sophisticated attack involving multiple methods of infiltration.
How Endesa Plans to Move Forward
Endesa has promised to keep its customers informed as new details emerge from the investigation. The company has claimed that it is working with cybersecurity experts and law enforcement to mitigate any further risks associated with the breach. It is also likely that Endesa will undertake a thorough review of its security measures to prevent similar incidents in the future.
As the investigation continues, Endesa is expected to provide further updates on the breach’s impact and the specific steps being taken to protect customers' data going forward. The company is also likely to face legal scrutiny, with potential fines or penalties under GDPR if the breach is deemed to have resulted from inadequate security measures.
Conclusion
This newest breach at Endesa highlights severe cybersecurity vulnerabilities within critical infrastructure, particularly in the energy sector. While the company claims it swiftly contained the intrusion, the exposure of sensitive customer data, including personal identification and financial details, has raised major concerns. At this stage, there is no indication that the breach affected Endesa’s operational capabilities or power distribution, focusing primarily on data. As investigations continue, further updates are expected regarding the breach’s full scope.
0 Comments