Spanish power utility Endesa said on Monday that a cyberattack had exposed personal information belonging to some of its customers, though the company stressed there was no evidence the data had been misused.
In a notice sent to customers and published on its website, Endesa said a ‘malicious actor’ had gained access to information linked to energy supply contracts, including contact details, identity numbers and payment-related data.
‘In no case have password access data been compromised,’ the company said, adding that its security systems detected, contained and mitigated the breach ‘immediately and satisfactorily’.
‘There is no record of any fraudulent use of the data affected by the incident, making it unlikely that a high-risk impact on your rights and freedoms materialises,’ the message said. Endesa did not disclose when the cyberattack occurred.
The company also declined to say how many customers were affected. Endesa reports having more than 10 million customers across Spain and Portugal.
Endesa said it is continuing to investigate the incident ‘to obtain a full understanding of what happened’ and confirmed that it has reported the breach to the relevant authorities, including Spain’s data protection regulator.
Consumer group Facua has called on the Spanish Data Protection Agency (AEPD) to launch an investigation into the incident and advised customers of Endesa and its subsidiary Energía XXI to remain vigilant.
‘Pay attention to any suspicious communications or requests for unusual actions by email or telephone, as cybercriminals could use this information to try to perpetrate fraud or scams,’ Facua warned.
The incident follows a similar case in November, when Spain’s national airline Iberia said hackers had accessed customer data, although it also reported no indications of fraudulent activity.
Subscribe to the Weekly Newsletter from Spain in English.
Click here to get your business activity or services listed on our DIRECTORY.