Spanish energy giant Endesa is warning customers about a data breach after a cybercrim claimed to have walked off with a vast cache of personal information allegedly tied to more than 20 million people.
Endesa is Spain's largest electricity utility and a subsidiary of Italy's Enel Group, supplying power and gas to millions of homes and businesses across the Iberian Peninsula.
In a notice tucked away on its website, Endesa said it uncovered "unauthorized and illegitimate access" to a commercial platform used to manage customer information, prompting the activation of its incident response procedures and an internal investigation.
The company said it acted "immediately" to contain the intrusion, but acknowledged that attackers were able to access and potentially exfiltrate "certain personal data of our customers related to their energy contracts" before the door was shut.
The information involved may include identifying and contact details, national identity numbers, and contract-related data, with some customers' bank account numbers (IBANs) also potentially exposed. Endesa said passwords were not accessed, a small mercy that may head off mass account takeovers, but one that offers little reassurance to customers whose ID and banking details could now be doing the rounds.
Affected customers have been notified, and the incident has been reported to Spain's data protection watchdog, the Agencia Española de Protección de Datos, as required under GDPR.
What Endesa has not addressed publicly is a set of far more dramatic claims circulating in cybercrime-watching circles. A miscreant using the handle "Spain" has claimed responsibility for the incident, alleging the theft of a 1.05 TB database containing the personal data of more than 20 million individuals.
Bear in mind that cybercriminals are notorious for inflating the scale of their haul to pile pressure on targets, while companies tend to say as little as possible until forensic work is complete and lawyers have had their say.
The Register asked Endesa whether it could confirm or deny the accuracy of the attackers' claims, but did not receive a response. The company has also not disclosed how its systems were compromised or whether the breach involved stolen credentials, a software flaw, or another point of entry.
Endesa is advising customers to stay alert for suspicious communications, particularly phishing emails, unexpected calls, or requests for personal or banking information. It will release further updates if its investigation uncovers additional relevant details.
Whether this turns out to be a limited exposure or one of Spain's largest data breaches will hinge on what that investigation ultimately finds. ®
Source: The register