UswitchSpain Logo
UswitchSpain
Free & Instant

Are you overpaying for electricity?

Upload your bill and we'll instantly compare it against Spain's best tariffs. Most expats save €200+ /year.

Back to Newsletter
3/13/2026Uswitch Team

Endesa Data Breach and Cyberattack Explained

Endesa has faced a €6.1 million GDPR fine and a recent cyberattack exposing customer data. Here’s what happened and what Spanish electricity customers should know.

Endesa Data Breach and Cyberattack Explained

Endesa Data Breach and Cyberattack: What Happened and What Customers Should Know

Spain’s largest electricity supplier, Endesa, has faced serious scrutiny over customer data security after a major regulatory fine and a more recent cyberattack affecting its commercial systems.

Together, these incidents have raised questions about how securely large energy companies protect the personal and financial data of millions of customers.

While Endesa remains one of Spain’s dominant electricity providers, the events highlight an increasingly important issue in the modern energy market: data security within utility companies.

The €6.1 Million GDPR Fine

In late 2023 the Spanish Data Protection Agency (AEPD) issued a major sanction against Endesa after identifying serious shortcomings in its data protection systems.

The investigation found that personal data belonging to approximately 6 million customers had been exposed due to inadequate security measures. Key failures included:

  • Insufficient technical safeguards protecting customer databases
  • Weaknesses in internal systems handling contract data
  • Failures to adequately guarantee confidentiality of personal information

The AEPD determined that Endesa had not implemented appropriate security controls required under the EU’s General Data Protection Regulation (GDPR). As a result, the company received a €6.1 million fine, one of the largest data protection penalties imposed in Spain’s energy sector.

2026 Cyberattack on Customer Systems

More recently, in January 2026, Endesa confirmed it had suffered a cyberattack affecting systems used to manage customer contracts. The breach reportedly allowed unauthorised access to a commercial platform connected to customer account data.

Exposed information reportedly included:

  • Customer names and contact details
  • DNI or identification numbers
  • Contract information
  • Bank account data including IBAN numbers

Security researchers later reported that millions of records were allegedly offered for sale on dark-web forums, although the exact number of affected customers has not been officially confirmed.

Advice for Customers

If you are an Endesa customer, experts recommend:

  • Monitoring your bank account for unusual transactions
  • Ignoring unexpected emails requesting personal details
  • Verifying communications directly through official Endesa channels
  • Changing passwords associated with your energy account

Don't miss the next issue

Get these insights delivered straight to your inbox. No spam, ever.

Monthly insights. Zero spam. Unsubscribe anytime.