Executive Summary

On January 12, 2026, Endesa, Spain’s largest energy provider and a subsidiary of the Enel Group, publicly disclosed a significant data breach affecting customers of its regulated market operator, Energía XXI. The breach involved unauthorized access to the company’s commercial platform, resulting in the exposure and potential exfiltration of highly sensitive customer data, including identification details, contact information, national identity numbers, contract data, and payment information such as IBANs. No account passwords or operational systems were compromised, and there is no evidence of fraudulent use of the stolen data as of the latest official statements. The company has activated incident response protocols, notified affected customers, and reported the incident to the Spanish Data Protection Agency (AEPD) and the National Cybersecurity Institute (Incibe). Customers are advised to remain vigilant for phishing, impersonation, and fraud attempts. The breach highlights the ongoing risks facing critical infrastructure providers and the importance of robust incident response and regulatory compliance.

Technical Information

The Endesa data breach was the result of unauthorized and illegitimate access to the company’s commercial and sales platform, specifically targeting the regulated market operator Energía XXI. The attacker bypassed existing security controls and accessed internal systems, exfiltrating sensitive customer data. According to all three primary sources, the breach did not involve the compromise of account passwords, ransomware deployment, or direct disruption of energy delivery or operational technology systems. The attack was focused on data theft, with the attacker claiming to have exfiltrated over 1TB of SQL database data, including personal, contract, and financial information, which was subsequently offered for sale on a dark web forum (https://www.bleepingcomputer.com/news/security/spanish-energy-giant-endesa-discloses-data-breach-affecting-customers/; https://en.ara.cat/economy/cyberattack-extracts-personal-data-from-endesa-customers_1_5615680.html).

Attack Vector Analysis

The initial access vector is not explicitly detailed in the available sources. However, the technical context suggests that the attacker exploited a vulnerability in the public-facing commercial platform or leveraged valid accounts to gain unauthorized access. There is no evidence of phishing, malware, or ransomware as the initial access method. The attacker’s ability to access and exfiltrate large volumes of SQL database data indicates a high level of access to backend systems.

MITRE ATT&CK Mapping

The attack can be mapped to the following MITRE ATT&CK techniques:

• Initial Access: Exploit Public-Facing Application (T1190) or Valid Accounts (T1078). The attacker accessed the commercial platform without credential compromise, suggesting exploitation of a web application vulnerability or use of compromised internal accounts. (Confidence: Medium, based on technical description and absence of password compromise) [https://attack.mitre.org/techniques/T1190/, https://attack.mitre.org/techniques/T1078/]

• Data Collection: Data from Information Repositories (T1213). The attacker accessed and exfiltrated data from SQL databases containing sensitive customer information. (Confidence: High, based on explicit statements about SQL database exfiltration) [https://attack.mitre.org/techniques/T1213/]

• Data Staging: Data Staged (T1074). The attacker likely staged the data prior to exfiltration. (Confidence: High) [https://attack.mitre.org/techniques/T1074/]

• Exfiltration: Exfiltration Over Web Service (T1567) or Exfiltration Over C2 Channel (T1041). The specific exfiltration method is not disclosed. (Confidence: Low, as exfiltration channel is not specified) [https://attack.mitre.org/techniques/T1567/, https://attack.mitre.org/techniques/T1041/]

Data Compromised

The investigation confirmed that the following categories of data were accessed and potentially exfiltrated:

• Basic identification details (names, addresses, contact information)

• National identity numbers (DNI)

• Contract-related data (contract numbers, CUPS codes, account-to-person relationships)

• Payment details, including IBANs, billing information, and account history

• No account passwords or authentication credentials were compromised

The attacker’s claim of possessing over 1TB of SQL database data aligns with the company’s assessment of the breach’s scope. The data is highly sensitive and could be used for identity theft, fraud, and phishing attacks.

Threat Actor Activity

The attacker published samples of the stolen data on a dark web forum on January 4, 2026, and offered the full dataset for sale to a single exclusive buyer. The sale of large volumes of sensitive data on underground forums is a common tactic among financially motivated cybercriminals and data extortion groups. However, there is no direct technical evidence (such as malware, TTPs, or infrastructure) linking this breach to a known advanced persistent threat (APT) or ransomware group. The attack pattern is consistent with previous data theft and extortion incidents targeting the energy sector, but attribution remains speculative.

Incident Response

Upon detection of the breach, Endesa activated its established incident response protocols, which included blocking compromised internal accounts, analyzing log records, notifying affected customers, and implementing enhanced monitoring to detect further suspicious activity. The company also launched an internal investigation with its technology providers and notified the Spanish Data Protection Agency (AEPD) and the National Cybersecurity Institute (Incibe) as required by law. Operations and services remain unaffected, and there is no evidence of fraudulent use of the stolen data as of the latest official statements.

Evidence Assessment

All major claims in this report are corroborated by at least three independent, primary sources, with explicit dates and sector-specific context. The technical details of the attack are based on official company statements, regulatory filings, and direct reporting from reputable cybersecurity news outlets. The absence of specific malware, ransomware, or technical indicators limits the ability to attribute the attack to a particular threat actor or group. The mapping to MITRE ATT&CK techniques is based on the described attack flow and available evidence.

Affected Versions & Timeline

The breach specifically affected customers of Energía XXI, the regulated market operator under Endesa. The commercial and sales platform used to manage customer contracts and billing was the primary target. The following timeline summarizes the sequence of verified events:

January 4, 2026: The attacker publishes details and sample data on a dark web forum, claiming to have exfiltrated over 1TB of sensitive customer information (https://en.ara.cat/economy/cyberattack-extracts-personal-data-from-endesa-customers_1_5615680.html).

January 6, 2026: The hack is reported by the Digital Shield portal.

January 12, 2026: Endesa publicly discloses the breach and begins notifying affected customers (https://www.bleepingcomputer.com/news/security/spanish-energy-giant-endesa-discloses-data-breach-affecting-customers/; https://en.ara.cat/economy/cyberattack-extracts-personal-data-from-endesa-customers_1_5615680.html).

January 13, 2026: The Cyber Express publishes further details and confirmation of regulatory notifications (https://thecyberexpress.com/endesa-data-breach/).

The breach impacts millions of customers in Spain and Portugal, with the company serving approximately 22 million clients in total. The investigation is ongoing, and affected customers continue to be notified as new information emerges.

Threat Activity

The threat activity associated with this breach is characterized by targeted, unauthorized access to a critical infrastructure provider’s commercial platform, followed by large-scale data exfiltration and attempted monetization via dark web forums. The attacker’s tactics align with those of financially motivated cybercriminals and data extortion groups, focusing on the theft and sale of highly sensitive personal and financial data.

No evidence of malware deployment, ransomware, or operational disruption has been identified. The attacker’s primary objective appears to be data theft for financial gain, rather than sabotage or espionage. The sale of the stolen data on underground forums increases the risk of secondary attacks, including identity theft, fraud, phishing, and impersonation campaigns targeting affected customers.

The breach underscores the vulnerability of the energy sector to data-centric cyberattacks and the potential for significant reputational, regulatory, and financial impacts. The rapid detection, containment, and notification actions taken by Endesa are consistent with best practices for incident response in critical infrastructure environments.

Mitigation & Workarounds

The following mitigation and workaround recommendations are prioritized by severity:

Critical: Immediate monitoring for suspicious activity related to the exposed data is essential. Customers should be vigilant for phishing attempts, identity impersonation, and fraudulent communications. Any suspicious activity should be reported to Endesa and relevant authorities without delay.

High: Organizations operating in the energy sector should review and strengthen security controls on public-facing applications, particularly those managing sensitive customer data. Regular vulnerability assessments, penetration testing, and timely patching of web applications are critical to reducing the risk of exploitation.

High: Enhanced monitoring and logging of access to sensitive data repositories, such as SQL databases, should be implemented. Anomalous access patterns and large-scale data exports should trigger immediate alerts and incident response actions.

Medium: Employee awareness training on social engineering, phishing, and data protection should be reinforced, especially for staff with access to sensitive customer information.

Medium: Review and update incident response plans to ensure rapid detection, containment, and notification in the event of future breaches. Coordination with regulatory authorities and timely customer communication are essential components of effective response.

Low: Customers are advised to avoid sharing personal or sensitive information with unknown parties and to use official communication channels when interacting with Endesa or reporting suspicious activity.

No specific technical workarounds are available for customers, as the breach did not involve malware or direct compromise of customer devices. The focus should remain on vigilance, monitoring, and adherence to security best practices.

References

https://www.bleepingcomputer.com/news/security/spanish-energy-giant-endesa-discloses-data-breach-affecting-customers/

https://thecyberexpress.com/endesa-data-breach/

https://en.ara.cat/economy/cyberattack-extracts-personal-data-from-endesa-customers_1_5615680.html

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations in critical infrastructure sectors identify, assess, and monitor cyber risks in their digital supply chains. Our platform enables continuous risk assessment, automated evidence collection, and actionable insights to support compliance and incident response. For questions or further information, please contact us at ops@rescana.com.