Endesa has confirmed a data breach involving unauthorized access to its commercial platform, resulting in the exposure of sensitive customer information. The incident affects Endesa customers in Spain and customers of its gas subsidiary, Energia XXI. While the company says no passwords were compromised and there is no evidence of data misuse, the breach included national ID numbers and banking details, raising concerns about identity theft and fraud risks.

Endesa is one of Spain’s largest energy providers and is majority-owned by Enel Group. The company serves roughly 10 million customers in Spain and millions more across Europe. As a critical infrastructure provider, Endesa handles large volumes of personally identifiable information (PII) and financial data, making it an attractive target for cybercriminals.

The breach comes amid heightened scrutiny of cybersecurity practices in the energy sector, where disruptions or data leaks can have broad economic and public trust implications.

According to Endesa’s public notice, attackers gained unauthorized access to the company’s commercial platform and likely exfiltrated customer data. Affected information includes names, contact details, national identification numbers (DNI), contract data, and payment-related information such as IBANs.

Customers of Endesa’s gas distributor, Energia XXI, were also impacted. Endesa began notifying customers approximately one week after a threat actor claimed on a hacker forum to have stolen 1.05 terabytes of data from the company’s systems.

Endesa has not disclosed the precise intrusion vector. However, the breach involved compromised user accounts on its commercial platform. In response, the company says it immediately blocked affected accounts, analyzed log files, and implemented additional monitoring controls.

No passwords were reportedly exposed, suggesting the attackers may have focused on backend systems or misconfigured access controls rather than credential dumps.

The exposed data includes high-value identifiers such as DNI numbers and IBANs, which can be leveraged for fraud, phishing, and identity theft. While Endesa says there is no evidence of malicious use, the nature of the data increases downstream risk for affected customers.

Public reaction has been negative, with customers criticizing both the breach itself and the clarity of Endesa’s communications.

Energy providers sit at the intersection of critical infrastructure and consumer data. Breaches like this highlight the cascading risks when large datasets containing financial and identity information are exposed, even if operational systems remain unaffected.

The discrepancy between the attacker’s claim of 20 million affected customers and Endesa’s actual customer base also underscores the challenge of verifying threat actor statements during active incidents.

Endesa stated that operations remain normal and emphasized its containment and monitoring measures. From an industry perspective, incidents involving national ID and banking data demand heightened transparency, rapid notification, and long-term customer protections, even in the absence of confirmed misuse.