Spanish energy provider Endesa and its Energía XXI operator are notifying customers that hackers accessed the company's systems and accessed contract-related information, which includes personal details.

Endesa is the largest electric utility company in Spain, now owned by Enel Group, that distributes gas and electricity to more than 10 million customers in Spain and Portugal. In total, the company says it has about 22 million clients.

The energy company notified its Energía XXI affected customers affected by the breach and also disclosed the security incident publicly, saying that it detected unauthorized access to its commercial platform.

"Despite the security measures implemented by this company, we have detected evidence of unauthorized and illegitimate access to certain personal data of our customers related to their energy contracts, including yours," the company says.

The investigation so far indicates that the hackers had access to the following data types:

• Basic identification details
• Contact information
• National identity numbers (DNI)
• Contract details
• Payment details, including IBANs

Both Energía XXI and Endesa specified that the security incident has not exposed account passwords.

In response to the situation, the company blocked access to compromised internal accounts, dumped log records for analysis, and is currently in the process of notifying all customers. Moreover, elevated monitoring has been established to detect further suspicious activity.

As the investigation is still underway, the firm has notified the Spanish Data Protection Agency and all pertinent authorities in the country.

"As of the date of this communication, there is no evidence of any fraudulent use of the data affected by the incident, making it unlikely that a high-risk impact on your rights and freedoms will materialize," Endesa notes.

However, a risk exists, and letter recipients are urged to be vigilant for identity impersonation, data theft, and phishing attacks, and are requested to report any suspicious activity at a number included in the notification.

Alleged Endesa database for sale

Meanwhile, threat actors last week published what they claim to be samples of data stolen from Endesa, allegedly 20 million records. The data is offered for sale to a single exclusive buyer.

The hacker claims to have around 1TB in SQL databases with Endesa customer information. Based on the details provided by the seller, the data seems to align with what Endesa says the intruder accessed on its systems.

BleepingComputer has contacted Energía XXI and Endesa about these allegations, but a spokesperson was limited to sharing the official statement.

Energía XXI says the incident has not impacted its operations or services, so customers may continue to enjoy the same level of services without risk.

The company promised to directly notify affected customers in the coming days if the ongoing investigation uncovers additional details about the incident.