Everything we know about the cyberattack on Endesa and Energía XXI

The recent Cyberattack against Endesa and its regulated energy supplier Energía XXI This has raised concerns about the protection of personal data in the energy sector. The company has acknowledged a unauthorized access to its commercial platform that has exposed sensitive information of millions of users in Spain.

According to the company's statements to those affected, the incident allowed an attacker to extract data related to electricity and gas contractsincluding contact information, identity documents, and bank details. Although the electricity and gas supply has not been compromised, the scale of the breach makes it one of the most delicate episodes in recent years in the European energy sector.

How the attack on the Endesa platform occurred

The electric company explained that a malicious actor managed to overcome the implemented security measures on their commercial platform and access databases that contain customer information both from Endesa Energía (free market) and Energía XXI (regulated market). The incident reportedly occurred at the end of December and It came to light when details of the alleged robbery began circulating on dark web forums..

Endesa describes what happened as a “unauthorized and illegitimate access” apart from its commercial systems. Based on initial internal analysis, the company concludes that the intruder would have had access and could have exfiltrated different blocks of information associated with energy contracts, although it maintains that the login credentials users have remained safe.

The cyberattack, according to company sources, occurred despite the security measures already implemented and has forced a thorough review of its technical and organizational proceduresIn parallel, an internal investigation has been launched in collaboration with its technology providers to reconstruct in detail how the intrusion occurred.

While that investigation is ongoing, Endesa emphasizes that Their commercial services continue to operate normallyAlthough some user access has been blocked as a containment measure, the priority in these first few days has been to identify affected customers and notify them directly of what has happened.

What data has been compromised in the cyberattack

The company's communications detail that the attacker was able to access basic personal and contact information (name, surname, telephone numbers, postal addresses and email addresses), as well as information associated with electricity and gas supply contracts.

The potentially leaked information also includes identity documents such as the DNI (National Identity Document) and, in certain cases, the IBAN codes of bank accounts related to bill payments. That is, not only administrative or commercial data, but also particularly sensitive financial information.

Furthermore, various sources and leaks published in specialized forums suggest that the compromised data would include energy and technical information detailed information, such as the CUPS (unique supply point identifier), billing history, active electricity and gas contracts, recorded incidents, or regulatory information linked to certain customer profiles.

The company insists, however, that the passwords to access the private areas from Endesa Energía and Energía XXI have not been affected because of the incident. This means that, in principle, the attackers would not have the necessary keys to directly access customers' online accounts, although they do have enough data to try to deceive them through personalized fraud.

A portion of the company's former customers has also started receiving notifications alerting them to the potential exposure of their data, which suggests that the breach affects historical records and not just currently active contracts.

The hacker's version: over 1 TB and up to 20 million records

While Endesa analyzes the exact scope of the incident, the cybercriminal who claims responsibility for the attack, calling himself "Spain" on the dark webHe has offered his own version of events in specialized forums. According to his account, he managed to access the company's systems in question. a little over two hours and exfiltrate a database in .sql format larger than 1 terabyte.

In those forums, Spain claims to have obtained data from around 20 million peoplea figure that would go far beyond the approximately ten million customers that Endesa Energía and Energía XXI have in Spain. To prove that this is not a bluff, the attacker has even published a sample of about 1.000 records with real and verified customer data.

The cybercriminal himself has contacted media outlets specializing in cybersecurity. providing specific information from journalists who had contracts with Endesa to support the authenticity of the leak. These media outlets have corroborated that the data provided matched relatively recent domestic supply contracts.

Spain assures that, for the moment, has not sold the database to third partiesAlthough he acknowledges receiving offers of up to $250.000 for approximately half of the stolen information, he maintains in his messages that he prefers to negotiate directly with the power company before finalizing any deals with other interested parties.

In some of those exchanges, the hacker criticizes the company for its lack of reaction, stating that “They haven’t contacted me; they don’t care about their customers.” and threatening to release more information if they don't get a response. Endesa, for its part, maintains a cautious public stance and limits itself to confirming the incident, without commenting on the attacker's claims.

Possible extortion and negotiation with the company

Once the security breach was made public, the scenario has evolved into a attempt to pressure the companyThe cybercriminal claims to have sent emails to several Endesa corporate addresses attempting to initiate negotiations, in what resembles a extortion tactic without an initially set ransom.

As Spain himself has explained to some media outlets, his intention would be agree with Endesa on a financial amount and a deadline in exchange for not selling or distributing the stolen database. For now, he claims not to have publicly disclosed a specific figure and is awaiting a response from the energy company.

Meanwhile, the attacker insists that if he fails to reach any kind of agreement, he will be forced to accept offers from third parties who have shown interest in acquiring the data. This strategy fits into an increasingly common pattern in cybercrime, where the theft of personal and financial data is used as leverage to pressure large companies.

From a legal and regulatory point of view, any ransom payments or covert agreements It opens up a complex ethical and legal scenario.Therefore, companies usually avoid commenting on these types of contacts. In this case, Endesa has simply reiterated that it is cooperating with the relevant authorities and that its priority is protecting its customers.

Meanwhile, the security forces have begun to track the attacker's activity on the dark web Authorities are already gathering evidence to identify him. Some sources suggest the attack may have originated in Spain, although there is no official confirmation yet regarding Spain's true identity.

Official response from Endesa and actions taken by the authorities

After several days of speculation and posts on underground forums, Endesa has begun to send emails to potentially affected customers explaining what happened and offering basic protection recommendations. In these messages, the company admits to the unauthorized access and briefly details the type of data that was compromised.

The company claims that, as soon as the incident was detected, activated its internal security protocolsThe company blocked the compromised credentials and implemented technical measures to contain the attack, limit its effects, and try to prevent a similar incident from happening again. Among other actions, it is conducting special monitoring of access to its systems to identify any anomalous behavior.

In accordance with European data protection regulations, Endesa has reported the breach to the Español de Protección de Datos (AEPD) and to National Cybersecurity Institute (INCIBE)The State Security Forces and Corps have also been notified and have opened proceedings to investigate the events.

The company insists that it is acting with “Transparency” and collaboration with the authoritiesAnd remember that the notification obligation extends to both regulators and users themselves, who are being informed in phases as the specific scope of the leak becomes clearer.

Consumer associations such as Facua have asked the AEPD to open a thorough investigation The investigation aims to determine whether the power company had adequate security measures in place and whether the breach management is being carried out in accordance with regulations. The focus is on, among other aspects, the speed of the response, the prior protection of the systems, and the measures that will be adopted going forward to minimize risks.

Real risks for customers: identity theft and fraud

Although Endesa maintains in its statements that it considers “unlikely” that the incident will result in high-risk harm Regarding the rights and freedoms of customers, cybersecurity experts warn that exposing this type of information opens the door to numerous fraud scenarios.

With information such as full name, ID number, address and IBAN, Cybercriminals can impersonate someone. of the victims with a high degree of plausibility. This allows them, for example, to try to contract financial products in their name, change contact details in certain services, or initiate claims and administrative procedures pretending to be the legitimate owner.

Another obvious risk is the massive use of information for phishing and spam campaignsAttackers can send emails, SMS messages, or make phone calls impersonating Endesa, banks, or other companies, including real customer data to gain their trust and convince them to provide more information or make urgent payments.

The security firm ESET insists that The danger does not end the day the breach is reportedThe information obtained in an attack like this can be reused for months or even years, combined with other data stolen in previous incidents to build increasingly sophisticated and difficult-to-detect frauds. To understand the technical consequences of a massive infection, it's helpful to review what happens if a machine is deeply compromised: What happens if my computer is infected with malware?.

That is why authorities and experts emphasize the importance of maintain a vigilant attitude in the medium and long termby periodically reviewing bank transactions, unusual notifications and any communication that seems even slightly suspicious, even if some time has passed since the original incident.

Recommendations for those affected by the attack on Endesa

Specialized organizations and cybersecurity companies themselves have disseminated a series of practical measures to minimize the impact of this type of breach among users. The first step is to be wary of any unexpected communication that refers to the incident or to personal and financial data.

If you receive emails, text messages, or calls that appear to be from Endesa, a bank, or another entity, and that include links, attachments, or urgent data requestsThe recommendation is not to click on any links or provide any information, and if in doubt, contact the company directly through its official channels. It's better to spend a few minutes verifying the message's authenticity than to risk falling for a scam. In these cases, it's helpful to know how to block malicious sources: How to block a website.

Although Endesa insists that its customers' passwords They have not been compromised in this attackExperts advise taking this opportunity to renew access passwords for important services and, whenever possible, activate systems for two-factor authenticationThis additional layer of security makes it much more difficult for an attacker to gain access to an account, even if they manage to obtain the password.

It is also recommended frequently check bank accounts and other financial services linked to the leaked data, to detect unauthorized transactions or unusual charges. If you suspect that information has been provided to a potential fraudster, it is advisable to immediately notify the bank and file a police report.

Free services such as Have I Been Pwned They allow you to check if an email address or other data has appeared in known data breaches. While they don't offer absolute protection, they do help you gain a clearer understanding of your exposure and make informed decisions about password changes and other preventative measures.

Help lines and official channels available

To resolve doubts and channel incidents related to the cyberattack, Endesa has enabled dedicated telephone lines for assistanceEndesa Energía customers can call the toll-free number 800 760 366, while Energía XXI users have the 800 760 250 to request information or report any anomalies they detect.

In the communications sent, the company asks users to Pay special attention to any suspicious communications in the coming days and to immediately report if they receive messages or calls that generate distrust, either through these phones or by contacting the security forces.

In addition to Endesa's own channels, citizens can also use National Cybersecurity Institute help service, which has the free telephone number 017 and the WhatsApp number 900 116 117 to resolve queries related to digital security, online fraud and data protection.

These resources are aimed at individuals, businesses, and professionals, and allow obtain expert guidance about the steps to take if you suspect you have been the victim of a scam or if you want to strengthen the security of your accounts and devices after a data breach.

Law enforcement officials recommend that any attempted scams related to this incident be reported. file a formal complaint with the Police or the Civil Guardproviding emails, messages or screenshots that can serve as evidence in a future investigation.

One more attack in the wave of cyber incidents against large companies

The Endesa case adds to a growing trend of cyberattacks against large companies in Spain and Europe, especially in strategic sectors such as energy, transport, finance, and telecommunications. In recent months, companies such as Iberdrola, Iberia, Repsol or Banco Santander They have also suffered incidents that have compromised the data of millions of customers.

This type of attack reflects how criminal groups have shifted from focusing on purely financial objectives to Focus on critical infrastructure and multinational corporationswhere the value of stolen information and the ability to exert pressure on companies is much greater. The goal is no longer just to obtain an immediate profit, but to acquire data that can be exploited for a long time.

At the European level, authorities have been promoting stricter regulations for years, such as the General Data Protection Regulation (GDPR) or the NIS2 directive on cybersecurity, which requires companies to improve their protection systems and quickly report any relevant incidents.

The leak suffered by Endesa highlights that, despite these regulatory advances, There remains a significant gap between theoretical requirements and reality of many technological infrastructures. The complexity of legacy systems, the interconnection with numerous providers, and the ever-increasing value of data make these companies a very attractive target.

For users, this scenario means that it is fundamental combine trust in service providers with a proactive attitude of self-protectionLearning to detect warning signs and applying basic digital hygiene guidelines, such as proper password management or verification of sensitive communications.

The cyberattack on Endesa and Energía XXI shows the extent to which a breach in the commercial platform of a large electricity company can exposing the personal and financial data of millions of people and lead to extortion attempts, identity theft, and phishing attacks. While authorities investigate and the company strengthens its systems, the best defense for customers is to stay informed, exercise extreme caution with any suspicious messages, and rely on official channels and the recommendations of cybersecurity experts.