Today, we’d like to share a recent cybersecurity incident that caught our attention — not because it involved sophisticated hacking techniques, but because it highlights how customer data can still be exposed even when core systems remain operational. It’s a useful case study for any organisation that handles personal or payment information.

Spanish energy company Endesa recently notified customers that some of their personal information was accessed during a data breach. Endesa, which is majority-owned by Enel Group, serves around 10 million customers in Spain and more than 10 million across other European countries. According to the company, the incident involved unauthorised access to one of its commercial platforms, affecting both Endesa customers and customers of its gas distributor, Energia XXI.

Based on the company’s public notice, the attackers were able to access and likely copy a range of customer information. This included basic identification details, contact information, national identification numbers, contract data, and payment-related information such as IBANs. While Endesa stated that no passwords were compromised, the exposure of identity and financial data can still pose a significant risk to affected individuals if misused.

Endesa explained that the incident was quickly contained and that additional security measures were put in place. These steps included blocking compromised user accounts, reviewing system logs, notifying affected customers, and increasing ongoing monitoring to detect any suspicious activity. The company also reassured customers that its operations and services continue to function normally and that there is currently no evidence the data has been used for malicious purposes.

Despite these reassurances, Endesa advised customers to remain alert for signs of identity theft, phishing attempts, or other scams. This advice is important, as stolen personal data is often used later in targeted fraud campaigns, sometimes weeks or even months after an incident occurs. Even when passwords are not exposed, attackers can use personal and contract details to craft highly convincing scam messages.

Public reaction to the breach has been mixed. Some customers expressed frustration on social media, questioning the wording of the company’s notification and raising concerns about how their information was protected. The timing of the notification also drew attention, as customers were informed roughly a week after a threat actor claimed on a hacker forum to have accessed Endesa’s systems and exfiltrated a large volume of data. The attacker alleged that the data belonged to more than 20 million customers, although this figure has been disputed by online commentators.

For businesses, this incident is a reminder that data breaches are not only about service outages or stolen passwords. Access to customer records, identity numbers, and payment details can have long-term consequences for both organisations and individuals. Clear communication, timely notifications, and strong internal access controls are just as important as technical security measures.

At CSB, we often encourage organisations to look beyond “was the system still running?” and instead ask, “What data do we hold, who can access it, and how quickly can we detect unusual activity?” Understanding and preparing for these questions is a key part of building trust and resilience in today’s digital environment.