A ‘hack’ to Endesa Energía compromises sensitive customer data, including ID and payment methods

Endesa Energy has recognized unauthorized access to its commercial platform which has resulted in the extraction of customer data related to their contracts, including identification document and means of payment.

A malicious actor has bypassed the security measures implemented by the company on its trading platform in a recent security incident, of which it has already begun to notify affected users via email.

This incident, an “unauthorized and illegitimate access,” as the company puts it, has resulted in the extraction of sensitive personal data of clients related to electricity and gas contracts.

According to the investigation that has been initiated, the malicious actor “would have had access and could have exfiltrated” contact details, identity documents and IBAN from the bank account. Endesa Energía clarifies that access passwords have not been affected.

Although at the moment it has not detected any misuse of the stolen data, it warns that the malicious actor could attempt to usurp or impersonate clients, publish such data in digital forums or use it to send fraudulent emails or messages within ‘phishing’ and ‘spam’ campaigns.

As indicated in the email, it is considered “unlikely” that this theft “will result in a high-risk impact on your rights and freedoms,” although it recommends that clients Be on the lookout for “possible suspicious communications” that you may receive in the coming days” and urges you to report any suspicious action at the telephone number: 800 760 366.

As soon as it became aware of the incident, Endesa Energía has also activated the security protocols and procedures established for these cases, as well as “all the technical and organizational measures necessary to contain it, mitigate its effects and prevent its recurrence in the future.”

The ‘Escudo Digital’ portal, which reported the ‘hack’ to Endesa on January 6, indicated that the hacker who carried out the alleged cyberattack published details about it in a ‘dark web’ forum on Sunday, January 4, where he revealed that he had obtained more than 1 TB of information of the company referring to more than 20 million people.

“Due to the names of tables and files, the level of sensitivity of the data is extreme. There is personal data, such as names and surnames, contact data, postal address, and account-person relationship; financial data, such as IBAN, billing data and account history and changes; energy data, such as CUPS (unique supply point identifier), active electricity and gas contracts, supply point data and regulatory data, such as Robinson Lists, exempt accounts and incident history,” it indicated. ‘Digital Shield’.