News: 1768385712

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Spanish power giant sparks breach probe amid claims of massive data grab

(2026/01/14)


Spanish energy giant Endesa is warning customers about a data breach after a cybercrim claimed to have walked off with a vast cache of personal information allegedly tied to more than 20 million people.

Endesa is Spain's largest electricity utility and a subsidiary of Italy's Enel Group, supplying power and gas to millions of homes and businesses across the Iberian Peninsula.

In a [1]notice tucked away on its website, Endesa said it uncovered "unauthorized and illegitimate access" to a commercial platform used to manage customer information, prompting the activation of its incident response procedures and an internal investigation.

[2]

The company said it acted "immediately" to contain the intrusion, but acknowledged that attackers were able to access and potentially exfiltrate "certain personal data of our customers related to their energy contracts" before the door was shut.

[3]

[4]

The information involved may include identifying and contact details, national identity numbers, and contract-related data, with some customers' bank account numbers (IBANs) also potentially exposed. Endesa said passwords were not accessed, a small mercy that may head off mass account takeovers, but one that offers little reassurance to customers whose ID and banking details could now be doing the rounds.

Affected customers have been notified, and the incident has been reported to Spain's data protection watchdog, the Agencia Española de Protección de Datos, as required under GDPR.

[5]Infamous BreachForums forum breached, spilling data on 325K users

[6]Meta admits to Instagram password reset mess, denies data leak

[7]ESA calls cops as crims lift off 500 GB of files, say security black hole still open

[8]Brightspeed investigates breach as crims post stolen data for sale

What Endesa has not addressed publicly is a set of far more dramatic claims circulating in cybercrime-watching circles. A miscreant using the handle "Spain" has claimed responsibility for the incident, alleging the theft of a 1.05 TB database containing the personal data of more than 20 million individuals.

Bear in mind that cybercriminals are notorious for inflating the scale of their haul to pile pressure on targets, while companies tend to say as little as possible until forensic work is complete and lawyers have had their say.

[9]

The Register asked Endesa whether it could confirm or deny the accuracy of the attackers' claims, but did not receive a response. The company has also not disclosed how its systems were compromised or whether the breach involved stolen credentials, a software flaw, or another point of entry.

Endesa is advising customers to stay alert for suspicious communications, particularly phishing emails, unexpected calls, or requests for personal or banking information. It will release further updates if its investigation uncovers additional relevant details.

Whether this turns out to be a limited exposure or one of Spain's largest data breaches will hinge on what that investigation ultimately finds. ®

Get our [10]Tech Resources



[1] https://www.endesa.com/endesa-proteccion-de-datos-es

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aWlxoP2A38S0UGJNH_lP1gAAA0c&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aWlxoP2A38S0UGJNH_lP1gAAA0c&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aWlxoP2A38S0UGJNH_lP1gAAA0c&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://www.theregister.com/2026/01/12/breachforums_breach/

[6] https://www.theregister.com/2026/01/11/infosec_news_in_brief/

[7] https://www.theregister.com/2026/01/07/european_space_agency_breach_criminal_probe/

[8] https://www.theregister.com/2026/01/06/brightspeed_investigates_breach/

[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aWlxoP2A38S0UGJNH_lP1gAAA0c&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[10] https://whitepapers.theregister.com/


cd

Why does a power company need to have and hold personal data?

Breaches...AI companies that need more data...related?

GeneralDisaster

Billing, my power company regularly sends me bills, doens't yours?

Neil Barnes

Mine does. But all it _needs_ is an address (not a name) and an account reference so it knows what a payment refers to.

A civilised company would expect the customer to pay upon receiving a bill, rather than grabbing directly from the customers' bank.

Anthony Hulse

Commercial contracts under Spanish law need the NIF or NIE number (the ID number) attached to prevent fraud. The rest of the data they hold is basically direct debit instructions and which address the supply is for.

_wojtek

a bit of context: in most of the Europę usually when you sign UO for contract you provide full details (name, address, national personal identification number). In case of Spain, from what I noticed, "direct debit" is super popular and is used a lot so you provide whichever organisation your bank account number and authorise them to charge it (as oposed to providing card details). To a point where you also give it to Hacienda (treasury/revenue office) and Seguridad Social (national health insurer) and they debit de amount due directly base on your fillings...

The internet is a war zone

m4r35n357

It is no place for personal data any more.

DB containing 20 million records

Anonymous Coward

Entirely possible, Endesa is one of the big three suppliers in Spain and they supply customers and businesses.

The fact they even bothered to mention that customers' usernames and passwords was safe when thieves walked off with ID numbers, names, addresses, phone numbers, and IBANs is yet another sad indictment of their customer service, if it can be called that. There's not much else anyone needs to start committing identity fraud.

Our civilisation is held together with strings, yoghurt pots, apps, and "digital signing" using SMS codes when we should all be using hardware tokens at the very least.

Re: DB containing 20 million records

nobody who matters

I am afraid that the way things seem to be steadily going, there are some very strong arguments for suggesting that we should all be using means of communication and storage of important data that do not involve the internet.

Critical Success Factors

pc-fluesterer.info

There are two CSF:

1. Do not, repeat NOT, employ proprietary (closed-source) products. They are riddled with backdoors, from network appliance to backoffice. With FOSS there is still no guarantee, but you are better off by orders of magnitude.

2. Adhere do best practice (least privilege, MFA, you name it).

ahh...

xyz

I got an sms off Endesa the other day with a link to some weird name website. I just presumed it was spam. When will Spanish companies start using their own urls?

Linux: Because rebooting is for adding hardware

Solaris: Because you don't need to reboot to add hardware

Windows: Because rebooting is for adding hardware, adding software,
regularly scheduled downtime, and should also be done on a daily basis to
keep the machine running.

-- From a Slashdot.org post