At the beginning of 2026, Endesa Energía, one of Spain’s most important electricity companies and a key player in the European energy sector, became involved in one of the most serious cybersecurity incidents of recent years. Unauthorized access to its commercial platform enabled the massive extraction of personal and financial data belonging to millions of people, including not only current customers but also former users who had stopped contracting services with the company several years earlier.
What was initially communicated as a limited security incident ultimately turned out to be a breach of much greater proportions, both due to the volume of information compromised and the sensitive nature of the leaked data. The incident has generated concern among users, cybersecurity experts, regulators, and authorities, and has reignited the debate on personal data protection, corporate responsibility, and the real preparedness of critical infrastructures against cyberattacks.
This article by ITD Consulting analyzes in depth what happened with the hack of Endesa, how it occurred, what information was compromised, who is affected, what the real risks are for citizens, and what lessons this case leaves in a context of increasing digitalization and growing sophistication of cybercrime.
The origin of the incident: Unauthorized access to Endesa’s internal systems
The attack was detected during the first days of January 2026, when Endesa identified anomalous activity on its commercial platform. This Endesa platform is the central system that Endesa uses to manage electricity and gas contracts for millions of users in Spain. It was precisely within this digital infrastructure of Endesa that the unauthorized access that gave rise to the security incident took place.
According to information later confirmed by Endesa itself, an external actor managed to breach the defenses of Endesa’s commercial platform and illegitimately access internal databases managed by Endesa. This unauthorized access directly affected critical Endesa systems, exposing flaws in the protection mechanisms that Endesa had implemented to safeguard its customers’ information.
The unauthorized access allowed the attacker to move within Endesa’s digital environment for a period of time sufficient to copy large volumes of information stored in Endesa’s systems. Although Endesa stated that the access passwords of Endesa customers were not compromised, the security breach suffered by Endesa exposed high-value personal and financial data belonging to Endesa customers and former customers.
One of the most worrying aspects of the Endesa incident is the speed with which the extraction of information from Endesa’s systems reportedly took place. Estimates indicate that the attacker managed to access Endesa’s platform and copy Endesa’s data in just a few hours, which calls into question the effectiveness of the early detection and rapid response mechanisms that Endesa had active at that time.
A massive-scale data breach at Endesa
As the days went by, the true magnitude of the attack suffered by Endesa began to come to light. The data breach associated with Endesa was not a minor incident: the volume of information extracted from Endesa’s systems reportedly exceeded one terabyte of data, an extremely high amount that suggests direct access to complete Endesa databases rather than isolated fragments.
The figures handled indicate that the data of more than 20 million people linked to Endesa may have been compromised. This figure includes both current Endesa customers and former Endesa users who had contracts with the company in the past. The presence of historical Endesa information significantly expands the scope of the impact, as many people who no longer maintain a commercial relationship with Endesa were unexpectedly affected by Endesa’s security incident.
This aspect has generated particular concern around Endesa, as it shows that personal data managed by Endesa can remain stored for years in Endesa’s corporate systems, even after the commercial relationship with Endesa has ended. The hack confirms that this historical Endesa data remains vulnerable in the event of a security breach such as the one suffered by Endesa.
What type of data was compromised at Endesa?
The information extracted during the hack of Endesa is not limited to basic contact data. The Endesa incident exposed a broad set of personal, contractual, and financial data managed by Endesa which, when combined, makes it possible to accurately identify the individuals affected by Endesa’s security breach.
Personal data in Endesa’s systems
Among the personal data compromised at Endesa are names and surnames, full postal addresses, telephone numbers, email addresses, and identity documents such as DNI or NIE stored by Endesa. This type of personal information held by Endesa is particularly sensitive, as it can be used for identity theft or to create detailed profiles of victims based on data originating from Endesa.
Contractual data linked to Endesa
The breach suffered by Endesa includes information related to Endesa’s electricity and gas supply contracts, such as CUPS codes, contract history with Endesa, supply point data managed by Endesa, and other technical information linked to the service provided by Endesa. Although these Endesa contractual data do not allow direct access to bank accounts, they can be used to carry out highly credible scams by posing as official communications from Endesa.
Financial data associated with Endesa
One of the most critical elements of the Endesa incident is the possible exposure of bank account numbers (IBAN) associated with Endesa contracts. Although an IBAN linked to Endesa alone does not allow money to be withdrawn directly from an account, it can be used as a basis for more elaborate fraud related to Endesa, such as unauthorized charges, fraudulent direct debit attempts, or scams linked to refunds and billing adjustments supposedly issued by Endesa.
Current and former Endesa customers: A broader impact than expected
One of the most controversial aspects of the Endesa hack is that Endesa’s security incident does not affect only Endesa’s active customers. The Endesa data breach includes personal information of people who were Endesa customers in the past, including former Endesa users who ended their contractual relationship with Endesa several years ago.
This expanded scope of the Endesa hack is due to the data retention policies that Endesa, like other large companies, applies to keep personal information for long periods of time. Endesa retains data of former customers for legal, tax, and administrative reasons, but the incident has highlighted the risks associated with this practice when Endesa’s systems storing that data are not adequately protected against external attacks.
For many former Endesa customers, receiving a notification from Endesa warning of a security breach was completely unexpected. These individuals considered their relationship with Endesa closed long ago and did not expect Endesa to continue storing their personal data. This has increased the perception of vulnerability toward Endesa and reinforced the feeling of loss of control over the personal data stored by Endesa.
Endesa’s response to the security breach
After detecting the incident, Endesa activated its internal security protocols and Endesa began investigating the real scope of the unauthorized access that affected Endesa’s systems. The company Endesa stated that it had blocked the compromised accesses within Endesa’s digital infrastructure and strengthened the protection measures of Endesa’s IT systems.
Subsequently, Endesa initiated the notification process to Endesa customers who may have been affected by the hack. In these official communications, Endesa informed that unauthorized access had occurred to Endesa’s commercial platform and that some personal data managed by Endesa might have been compromised. Endesa also indicated that access passwords to Endesa’s services had not been affected and that Endesa’s main operating systems continued to function normally.
However, Endesa’s response has been the subject of criticism from cybersecurity experts and users. In particular, the time elapsed between Endesa’s internal detection of the incident and the public communication of the Endesa hack has been questioned. According to specialists, a faster communicative response by Endesa could have allowed Endesa users to take preventive measures earlier.
The intervention of authorities and the legal framework in the Endesa case
As required by European data protection regulations, Endesa notified the security incident to the competent authorities. Among these authorities is the Spanish Data Protection Agency, the body responsible for supervising legal compliance in cases such as the hack suffered by Endesa.
Security breaches like the one that affected Endesa, when they compromise personal data managed by Endesa and pose a risk to the rights and freedoms of citizens, are subject to investigation processes and possible sanctions. Authorities will analyze whether Endesa complied with the security measures required by current legislation and whether Endesa’s handling of the incident was adequate, both from a technical standpoint and in the communication carried out by Endesa to those affected.
If investigations determine negligence or non-compliance on the part of Endesa, the company Endesa could face significant financial penalties. Added to this would be the reputational impact that the Endesa hack is already generating, affecting the trust of customers, former customers, and the general public toward Endesa.
Real risks for people affected by the Endesa hack
Although so far no massive fraudulent use of data originating from Endesa has been confirmed, the nature of the information leaked from Endesa’s systems implies real risks for people affected by Endesa in the short, medium, and long term. The personal and financial data managed by Endesa can be used in multiple ways by cybercrime networks that take advantage of incidents such as the Endesa hack.
Phishing and personalized scams using the Endesa brand
With the data obtained from the Endesa leak, cybercriminals can create highly credible emails, SMS messages, or phone calls, posing as Endesa or as supposed official Endesa departments. These scams linked to Endesa usually request additional information, urgent payments, or verification of personal data, using the Endesa name to generate trust and urgency in victims.
Identity theft using Endesa data
The combination of full name, identity document, and contact details originating from Endesa facilitates identity theft in other services. The data stored by Endesa can be used to open accounts, modify contracts, or access digital services, especially in processes where advanced verification mechanisms are not required. The Endesa hack amplifies this risk by putting large volumes of personal information into circulation.
Financial fraud related to Endesa contracts
Banking data linked to Endesa contracts can be used for more sophisticated financial fraud attempts. Among these Endesa-related frauds are unauthorized charges, scams related to Endesa billing, or false requests for refunds supposedly issued by Endesa. The use of the Endesa name increases the credibility of this type of scam.
Resale of personal data originating from Endesa
When personal data obtained from the Endesa hack are commercialized on underground markets, they can be repeatedly used by different criminal groups. The resale of Endesa data prolongs the risk for years, as the information can reappear in new fraud campaigns linked directly or indirectly to Endesa.
Recommendations for those who may be affected by Endesa
In the face of an incident of this nature related to Endesa, cybersecurity experts recommend that Endesa customers and former Endesa customers adopt a proactive attitude to reduce the risks derived from the Endesa hack:
- Be suspicious of emails, phone calls, or SMS messages requesting personal or banking information in the name of Endesa.
- Always verify the authenticity of communications supposedly sent by Endesa by contacting Endesa directly through its official channels.
- Periodically review bank movements associated with Endesa contracts and report any suspicious activity related to Endesa.
- Activate two-factor authentication on digital services linked to Endesa or on other platforms where data similar to those provided to Endesa are used.
- Change passwords on important services that may be related to data shared with Endesa and use unique and strong passwords.
- Inform the competent authorities or the banking institution if a possible fraud is detected that may be related to the misuse of data originating from Endesa.
The Endesa hack represents one of the largest personal data security incidents recorded in the energy sector in Spain. What happened with Endesa has highlighted the exposure of sensitive information of millions of people linked to Endesa, including those who stopped being Endesa customers years ago. This Endesa incident highlights the fragility of digital systems when organizations the size of Endesa do not apply continuous, robust protection measures aligned with the critical nature of the data they manage.
Beyond the possible sanctions or legal consequences that Endesa may face, this Endesa case leaves a clear lesson for the entire business landscape: cybersecurity can no longer be considered a secondary technical aspect. The breach suffered by Endesa demonstrates that personal data protection is today a central element of corporate responsibility, especially for companies like Endesa that manage critical information and personal data of millions of citizens.
In an environment where personal data have enormous value, Endesa and the rest of organizations are obliged to protect them from an ethical, legal, and strategic perspective. The real impact of the Endesa data leak will be measured over time, but what happened with Endesa should serve as a clear warning for the entire energy sector and for any company that manages large volumes of personal information.
The Endesa case also acts as a reminder for citizens about the importance of protecting their digital identity and demanding greater guarantees in terms of information security. Incidents such as the Endesa hack show that no organization is exempt from suffering a security breach if it does not have a solid cybersecurity strategy, data protection, and digital risk management.
In this context, ITD Consulting supports companies that want to anticipate scenarios like the one experienced by Endesa, helping them evaluate their systems, strengthen their security measures, and comply with current legal and technical standards. To receive specialized advice on cybersecurity and information protection, you can contact ITD Consulting directly by writing to [email protected].
EN 
ES