Endesa Energia has warned customers that some bank account details may have been exposed following a cyberattack.
The supplier said a security incident resulted in the unauthorised extraction of personal data.
According to Endesa, the breach involved the exfiltration of customer information, which may include contact details, national identity numbers (DNI), contract information and, in some cases, bank account numbers (IBANs).
The company stressed that login credentials and passwords were not compromised.
The energy provider said it immediately activated its internal security protocols and deployed technical and organisational measures to contain the incident, mitigate its impact and prevent recurrence.
These actions included blocking compromised access accounts, analysing system logs and placing affected systems under enhanced monitoring to detect any suspicious activity.
Endesa has also notified the relevant authorities, including the Agencia Española de Protección de Datos (AEPD).
The company says both internal investigations and checks with external providers are ongoing to fully determine how the breach occurred and whether further measures are required.
As of the latest update, Endesa says it has no evidence that the stolen data has been used fraudulently, and believes it is unlikely the incident will result in a high risk to customers’ rights and freedoms.
However, the company warns that access to personal data could still lead to identity impersonation attempts, phishing attacks or spam, or the publication of personal information without the customer’s control.
Endesa is urging customers to remain vigilant over the coming days, particularly regarding unexpected emails, phone calls or messages requesting personal or banking details. Any suspicious communication should be treated with caution and reported.
Customers with concerns or who believe they may be affected can contact Endesa via telephone on 800 760 366 or email at contactodpo@endesa.es.
