Spanish energy company Endesa and its regulated electricity provider Energía XXI have started notifying customers after identifying unauthorized access to internal systems that led to the exposure of personal and contract-related information. The incident, which Endesa has publicly disclosed, affects customers associated with the company’s commercial platform and remains under active investigation.
Endesa is Spain’s largest electricity utility and operates as a subsidiary of the Enel Group. The company supplies electricity and gas services to millions of customers across Spain and
Portugal, reporting a total customer base of approximately 22 million. The current incident is limited to customers of Energía XXI, which operates within Spain’s regulated energy market.
Unauthorized Access to Commercial Systems
Endesa reported that attackers gained unauthorized access to its commercial platform, allowing visibility into customer data linked to energy contracts. In notifications sent to impacted customers, the company confirmed the security incident and stated that evidence of illegitimate access to certain personal data had been identified.
Endesa clarified that customer account passwords were not compromised during the incident. However, other categories of personal and contractual information may have been accessed.
Categories of Data Potentially Exposed
Based on findings from the ongoing investigation, Endesa indicated that the exposed information may include basic identification details, contact information, national identity card numbers, contract-related records, and potential payment data such as IBANs. The company stressed that the absence of credential exposure reduces the risk of direct account compromise.
Incident Response and Containment
Upon detecting the incident, Endesa activated its incident response procedures to contain the breach and limit further impact. The company stated that technical and organizational measures were implemented immediately to mitigate the issue and prevent recurrence.
Response actions included disabling affected internal accounts, reviewing system logs, notifying customers, and increasing monitoring for suspicious activity. Endesa confirmed that the incident did not disrupt its services or operational continuity.
Regulatory Notification and Ongoing Investigation
In line with regulatory obligations, Endesa notified the Spanish Data Protection Agency and other relevant authorities after completing an initial assessment. The investigation continues with support from internal security teams and external partners to determine the full scope and root cause of the breach.
Endesa noted that, at the time of notification, there was no evidence indicating fraudulent use of the exposed data. The company stated that the likelihood of significant harm to affected customers remains low.
Customer Advisory and Risk Awareness
Despite the absence of confirmed misuse, Endesa warned customers of potential risks such as identity impersonation, phishing attempts, and spam campaigns. Affected individuals were advised to remain alert and report any suspicious communications to the company’s support channels.
Customers were also encouraged to avoid sharing sensitive information with unknown parties and to contact law enforcement if they suspect fraudulent activity related to the incident.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
