Overview
- The company says an intruder accessed its commercial platform, extracting contact details, national IDs, contract data and bank IBANs, while account passwords were not affected.
- Customers on both the regulated PVPC and free-market tariffs, including those served by Energía XXI, are within the scope of the incident.
- Endesa began notifying potentially affected users on January 12, activated incident‑response measures, and reported the breach to Incibe and the Spanish Data Protection Agency.
- No fraudulent use of the data has been confirmed to date, though the company warns of potential identity theft and phishing risks and has set up a dedicated assistance line.
- Security site Escudo Digital reports an unverified dark‑web dump claiming over 1 TB of data tied to more than 20 million people, as Endesa shares slipped about 1.3% following the disclosure.