The electricity company Endesa has informed its clients that it has suffered a cyberattack through which personal and financial data of its clients have been stolen.
There are affected parties among both Endesa Energía customers, which operates in the free market, and Energía XXI, which operates in the regulated market.
According to the statement to users, the internal investigation indicates that cybercriminals have accessed customers' first names, last names, contact details, and National Identity Document (DNI) numbers.
The attack has also exposed data relating to contracts, as well as the IBAN codes of the bank accounts associated with payments, in some cases. The company has also explained that users' access passwords have not been compromised.
Endesa has not detected any misuse of the stolen data, but warns that the malicious actor could attempt to impersonate customers, publish said data on digital forums, or use it to send fraudulent emails or messages
The company considers it "unlikely" that this theft "will materialize into a high-risk impact on its rights and freedoms," although it recommends that clients be alert to "possible suspicious communications they may receive in the coming days."
The cyberattack is being investigated by the Spanish Data Protection Agency (AEPD) as well as by the State Security Forces and Corps.