Spanish energy company Endesa has notified customers that their information was compromised in a data breach.
Majority-owned by Italian utility company Enel Group, Endesa has approximately 10 million customers in Spain. It also serves over 10 million customers in other European countries.
In an incident notice on its website, the company said the data breach involved unauthorized access to its commercial platform. Customers of its gas distributor Energia XXI were also affected.
The hackers, the company says, accessed and likely exfiltrated basic customer identification information, contact details, national identification numbers (DNI), contract information, and payment details, including IBANs.
The energy giant says no passwords were compromised, that the incident was quickly contained, and that it has implemented additional safeguards.
“These measures include, among others, the immediate blocking of the compromised user accounts, the analysis of log files, and notification to all customers whose data have been compromised. We are also conducting continuous monitoring of our systems to detect any suspicious activity,” an automated translation of the company’s notice reads.
Endesa says it has no evidence that the stolen data was used maliciously, but advises customers to remain vigilant against identity theft, phishing, and other types of attacks.
“The company’s operations and services are functioning normally, and you can continue to use them,” Endesa said.
Many of the company’s customers took to X to complain about the data breach and the wording in the company’s notice, blaming it for negligence in protecting their information.
Endesa started notifying its customers of the incident roughly a week after a threat actor boasted on a hacker forum about hacking the company and stealing 1.05 terabytes of data from its systems.
The threat actor claims the exfiltrated information belongs to over 20 million Endesa customers, but some users have pointed out that the company does not have as many customers in Spain.
SecurityWeek has emailed Endesa for additional information on the data breach and will update this article if the company responds.
Related: Instagram Fixes Password Reset Vulnerability Amid User Data Leak
Related: Hackers Accessed University of Hawaii Cancer Center Patient Data; They Weren’t Immediately Notified
Related: 377,000 Impacted by Data Breach at Texas Gas Station Firm
Related: Dozens of Major Data Breaches Linked to Single Threat Actor
