Threat actor claims the theft of full customer data from Spanish energy firm Endesa

Endesa disclosed a data breach exposing full customer data, including contact details, national ID numbers, and payment information.

Spanish energy firm Endesa disclosed a data breach, threat actors stole full customer data, including contact details, national ID numbers, and payment information.

“In this regard, we regret to inform you that Endesa Energía has detected a security incident that has allowed unauthorized and illegitimate access to its commercial platform. This incident has compromised the confidentiality of certain data for which Endesa Energía is responsible.” reads the statement published by the company. “Despite the security measures implemented by this company, we have detected evidence of unauthorized and illegitimate access to certain personal data of our customers related to their energy contracts, including yours. “

Endesa is a major Spanish multinational electric utility company and the largest electricity provider in Spain. It generates, distributes and sells electricity and natural gas, serving over 10 million customers domestically. Endesa is a majority-owned subsidiary of Italian utility group Enel, which holds about 70 % of its shares.

The company has around 8,900 employees (2024 figure). In 2024, Endesa reported €21.3 billion in revenue and a net profit of about €1.89 billion, reflecting strong earnings growth compared with the previous year.

Endesa Energía said attackers accessed and may have exfiltrated customer identification, contact details, national ID numbers, contract data, and possibly IBANs, but not passwords. The company activated security protocols and blocked access that had been compromised. Endesa notified affected customers and authorities, including Spain’s Data Protection Agency. Continuous monitoring is underway while investigations with suppliers continue.

The energy company says it has found no evidence that attackers have misused the affected data, so it considers a serious impact on customers unlikely. However, criminals could still try to impersonate customers, publish stolen data, or launch phishing or spam campaigns.

“As of the date of this communication, there is no evidence of any fraudulent use of the data affected by the incident, making it unlikely that a high-risk impact on your rights and freedoms will materialize. Even so, this unauthorized access to your data by the malicious actor could lead to an attempt to impersonate you, publish this data (resulting in a loss of control over it), or use it to carry out phishing or spam campaigns against you.” concludes the statement.

Customers should stay alert to suspicious calls, emails, or messages and report any concerns to the Endesa call center at 800.760.366. The company advises never sharing personal or sensitive information with unknown contacts and to notify Endesa or law enforcement if fraud is suspected. The Spanish firm confirms that all operations and services continue to run normally.

Endesa did not disclose technical details about the attack that caused the data breach; however, a threat actor claimed on a cybercrime forum to have stolen 1.05 terabytes of data from the company.

Below is the message published by the threat actor on the hacking forum:

“!I hacked into Spain’s largest electricity and gas company (Endesa), access to everything, no one has this database except me.

This thread was accepted and the data was verified as real and unique.

Price: negotiable Total size: (1,055,950,885,115 bytes)

More than +20.000.000 people in one single .sql (fresh data, never seen)!”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)