Endesa Reports Cyber Security Incident Affecting Sensitive Customer Information

Endesa has announced a data security breach after malicious actors gained unauthorised access to its internal network, leading to the theft of confidential corporate data and sensitive personal information of its customers.

 

Endesa is a major Spanish integrated energy company and a subsidiary of Italy’s Enel Group, operating across electricity and natural gas generation, distribution, and sales in Spain and Portugal, with additional services in renewables, EV charging, and smart city solutions, and operating its gas business under the Energia XXI brand.

 

In a data security incident notice published on its website, Endesa stated that it recently identified a breach in which threat actors gained unauthorised access to its internal network and commercial platform. The energy company immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

It also took steps to secure the affected systems and notified relevant law enforcement authorities about the incident.

 

“This incident has compromised the confidentiality of certain data for which Endesa Energía is responsible.

 

“Despite the security measures implemented by this company, we have detected evidence of unauthorised and illegitimate access to certain personal data of our customers related to their energy contracts,” Endesa said.

 

The compromised data included identification and contact information, identification numbers, and details related to customer contracts with Endesa Energía, including payment information. The company, however, confirmed that account passwords were not accessed and remain secure.

 

After identifying the incident, Endesa Energía activated its security protocols and implemented technical and organisational measures to contain the breach, mitigate its impact, and prevent further unauthorised access. These steps included blocking compromised accounts, analysing logs, notifying affected customers, and enabling continuous system monitoring.

 

In accordance with applicable regulations, the company notified the relevant authorities, including the Spanish Data Protection Agency.

While Endesa Energía found no evidence of the compromise data being misused, it has urged affected individuals to remain vigilant and report any suspicious activity to law enforcement authorities.