Spanish energy provider Endesa and its regulated electricity operator Energía XXI have begun notifying customers after detecting unauthorized access to the company’s internal systems, resulting in the exposure of personal and contract-related data. The Endesa data breach incident, publicly disclosed by the company, impacts customers linked to Endesa’s commercial platform and is currently under investigation.
Endesa, Spain’s largest electric utility company and a subsidiary of the Enel Group, provides electricity and gas services to millions customers across Spain and Portugal. In total, the company reports serving approximately 22 million clients.
The Endesa data breach specifically affects customers of Energía XXI, which operates under Spain’s regulated energy market.
Unauthorized Access Detected on Commercial Platform
According to Endesa, the security incident involved unauthorized and illegitimate access to its commercial platform, enabling attackers to view sensitive customer information tied to energy contracts. In a notification sent to affected customers, the company acknowledged the Endesa data breach, stating:
“Despite the security measures implemented by this company, we have detected evidence of unauthorized and illegitimate access to certain personal data of our customers related to their energy contracts, including yours.”
The company clarified that while account passwords were not compromised, other categories of data were potentially accessed during the incident.
Types of Data Potentially Exposed in Endesa Data Breach
Based on the ongoing investigation, Endesa confirmed that attackers may have accessed or exfiltrated the following information:
- Basic identification data
- Contact information
- National identity card numbers
- Contract-related data
- Possible payment details, including IBANs
Despite the scope of exposed data, Endesa emphasized that login credentials remained secure, reducing the likelihood of direct account takeovers.
Endesa Activates Incident Response Measures
Following detection of the Endesa data breach, the company activated its established security response protocols to contain and mitigate the incident. In its official statement, Endesa detailed the actions taken:
“As soon as Endesa Energía became aware of the incident, the established security protocols and procedures were activated, along with all necessary technical and organizational measures to contain it, mitigate its effects, and prevent its recurrence.”
These actions included blocking compromised internal accounts, analyzing log records, notifying affected customers, and implementing enhanced monitoring to detect further suspicious activity. The company confirmed that operations and services remain unaffected.
Authorities Notified as Investigation Continues
As required under applicable regulations, Endesa notified the Spanish Data Protection Agency and other relevant authorities after conducting an initial assessment of the incident. The company stated that the investigation is ongoing, involving both internal teams and external suppliers, to fully understand the cause and impact of the breach.
Addressing customer concerns, Endesa noted:
“As of the date of this communication, there is no evidence of any fraudulent use of the data affected by the incident, making it unlikely that a high-risk impact on your rights and freedoms will materialize.”
Customers Warned of Potential Phishing and Impersonation Risks
While no misuse of data has been identified so far, Endesa acknowledged potential risks associated with the exposed information. Customers have been urged to remain vigilant against identity impersonation, data misuse, phishing attempts, and spam campaigns.
The company advised affected individuals to report any suspicious communications to its call center and to avoid sharing personal or sensitive information with unknown parties. Customers were also encouraged to contact law enforcement in case of suspected fraudulent activity.
The Cyber Express Team has contacted Energía XXI and Endesa seeking further clarification on the incident and its impact. However, at the time of publication, no additional response had been received from either entity.
