Spanish power giant sparks breach probe amid claims of massive data grab

Steven

Spanish power giant sparks breach probe amid claims of massive data grab

Summary

Endesa, Spain’s largest electricity utility (part of the Enel Group), says it detected unauthorised access to a commercial platform that manages customer information and has launched an investigation. The firm says it acted immediately to contain the intrusion and has notified affected customers and Spain’s data protection authority (AEPD). Endesa warns some personal and contract-related data may have been accessed, and that a subset of customers’ bank account details (IBANs) could be exposed, though passwords were reportedly not taken.

Key Points

  • Endesa detected “unauthorised and illegitimate access” to a commercial customer-data platform and initiated incident response procedures.
  • Potentially exposed data includes names, contact details, national identity numbers and contract information; some IBANs may also be affected.
  • The company says passwords were not accessed, reducing immediate account-takeover risk but not preventing identity or financial fraud.
  • An attacker using the handle “Spain” claims a 1.05 TB haul containing data on more than 20 million people — a claim Endesa has not confirmed.
  • Endesa has notified affected customers and reported the incident to the Agencia Española de Protección de Datos under GDPR; investigation into the breach vector is ongoing.

Content Summary

Endesa discovered that a commercial platform used to manage customer information had been breached. The company says it moved quickly to contain the intrusion, launched an internal investigation and informed the Spanish data protection regulator and notified customers believed to be affected.

While Endesa confirms some personal and contract-related data may have been accessed and that some IBANs could be exposed, it has not publicly confirmed the scale of the theft. A cybercriminal claiming responsibility says a 1.05 TB database covering over 20 million people was stolen, but such claims can be exaggerated. Endesa has not yet disclosed how the breach occurred or whether credentials, software flaws or another attack vector were used.

Context and Relevance

This could be one of Spain’s larger consumer-data incidents and sits squarely in the ongoing trend of large-scale breaches at major service providers. The potential exposure of national ID numbers and banking details raises risk of identity theft and financial fraud for affected customers, while the report to the AEPD triggers GDPR oversight and potential regulatory consequences for Endesa. Organisations and consumers should watch for follow-up forensic findings and regulator guidance.

Why should I read this

Got an Endesa account or live in Spain? This matters — it tells you what might be exposed, what Endesa says it did, and what to watch for (phishing, suspicious calls, unexpected bank activity). If you care about how big breaches evolve and how regulators react under GDPR, it’s worth a quick read.

Author style

Punchy: This story could affect millions and has national implications — the details of the forensic findings and regulator response are worth following closely.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/01/14/endesa_breach/