Threat Actor Claims to Breach Endesa, Allegedly Compromising Millions of Customer Records
Published on March 26, 2025
- Over 39 million Endesa customers are said to be exposed on the dark web after an alleged data leak.
- A threat actor announced on a hacker forum that customers of both electricity and gas services were impacted.
- Compromised details reportedly include customer names, phone numbers, emails, home addresses, and banking information
A threat actor identifying as “AgencyInt” has publicly claimed responsibility for a significant data breach involving Endesa, one of Spain’s largest energy providers, exposing sensitive information belonging to approximately 39.2 million customers of both electricity and gas services.
According to the group’s statements, the alleged breach has resulted in the exfiltration of customer names and ID numbers, phone numbers and email addresses, residential addresses, and banking information that includes account numbers from 30.6 million electricity customers and 8.6 million gas customers.
The compromised data also allegedly includes CUPS (Universal Supply Point Codes), utility consumption records, and billing and debt information.
The extent and variety of data allegedly exfiltrated from Endesa significantly raise the stakes, potentially exposing millions of individuals to threats such as identity theft, financial fraud, and further targeted attacks.
Despite the claims made by AgencyInt, Endesa has neither confirmed any data leaks nor verified the authenticity of the attacker group’s claims.
However, if the allegations prove to be accurate, the incident could constitute one of the most severe data breaches in the energy sector to date, both in terms of the volume of records affected and the sensitivity of the data reportedly accessed.
If validated, the breach highlights critical vulnerabilities within the energy sector’s cybersecurity infrastructure. Beyond compromising personal information, such an extensive leak could undermine customer trust, result in regulatory investigations, and impose substantial fines under data protection laws like the EU’s General Data Protection Regulation (GDPR).
Related
Most Popular
Most Popular