Endesa Reports Data Breach Affecting Energía XXI Customers
Overview of the Incident
Spanish energy company Endesa, along with its regulated operator Energía XXI, has begun reaching out to customers following an unauthorized breach of their internal systems. The incident has led to the exposure of various personal and contract-related information belonging to clients associated with Endesa’s commercial platform. An investigation is currently underway following the public disclosure of this data breach.
Endesa stands as Spain’s largest electric utility provider and is part of the Enel Group. It delivers electricity and gas to millions of households across Spain and Portugal, claiming to serve around 22 million clients in total. The breach particularly affects customers who are part of Energía XXI, which operates within the regulated energy framework in Spain.
Unauthorized Access Details
In a notification sent to customers, Endesa elaborated on the breach, indicating that there was unauthorized access to its commercial platform. This breach allowed attackers to potentially view sensitive customer data related to energy contracts. The company acknowledged this security incident with the following statement:
“Despite the security measures implemented by this company, we have detected evidence of unauthorized and illegitimate access to certain personal data of our customers related to their energy contracts, including yours.”
Notably, Endesa clarified that, while account passwords remained secure, other types of data were at risk during this incident.
Types of Data at Risk
The ongoing investigation has revealed that the attackers might have accessed various personal information, including:
- Basic identification details
- Contact information
- National identity card numbers
- Contract-related information
- Potential payment details, such as IBAN numbers
Endesa has emphasized that login credentials were not compromised, which significantly lowers the chance of direct account takeovers.
Response Measures by Endesa
After detecting the breach, Endesa promptly enacted its security incident response protocols aiming to contain and address the situation. In their official statement, the company detailed the measures they initiated:
“As soon as Endesa Energía became aware of the incident, the established security protocols and procedures were activated, along with all necessary technical and organizational measures to contain it, mitigate its effects, and prevent its recurrence.”
These preventive actions included disabling compromised internal accounts, scrutinizing log records for any anomalies, notifying affected customers, and enhancing monitoring practices to spot any further unauthorized activities. According to Endesa, their overall operations and services remain unaffected by the breach.
Notifying Authorities and Ongoing Investigation
As part of regulatory compliance, Endesa has promptly informed the Spanish Data Protection Agency and other pertinent authorities about the breach after an initial assessment. The current investigation is collaborative and involves both internal teams and external partners to ascertain the cause and impact of the security incident.
Endesa has addressed customer anxiety by stating:
“As of the date of this communication, there is no evidence of any fraudulent use of the data affected by the incident, making it unlikely that a high-risk impact on your rights and freedoms will materialize.”
Customer Advisory on Risks
While no misuse has been confirmed at this stage, Endesa has warned its customers about the possible risks associated with the exposed data. They encourage vigilance against identity theft, data misuse, phishing attempts, and unsolicited communications.
Affected individuals have been advised to report any suspicious messages to Endesa’s customer service and to refrain from sharing personal or sensitive details with unknown parties. Customers experiencing fraud concerns are also encouraged to engage local law enforcement.
Inquiries for more information regarding the incident have been directed to Energía XXI and Endesa by The Cyber Express Team. As of the latest updates, no further official responses have been received from either organization.
