The year has begun with a severe blow to cybersecurity in Spain. The cyberattack on Endesa has been an incident that has put the personal and banking data of millions of customers at risk, including the full name, DNI, supply address and IBAN. Although the company has assured that passwords have not been compromised, cybersecurity specialists warn that the leaked information is more than enough to facilitate large-scale scams.

Although the company explained that the passwords were not affected, i3e points out that “only with knowledge of the person’s ID and name they can scam other people by impersonating their identity.”

“Passwords are not needed to commit crimes if cybercriminals use Endesa’s image as a bridge to deceive third parties,” explains Carlos Eduardo Suárez, member of the cybersecurity team at the Catalan technology company i3e. According to the expert, having real customer data allows for very credible communications to be created through email, SMS or phone calls, which increases the probability that victims will provide even more sensitive information.

AI as an aggravating element

From i3e they emphasize that the impact of the attack is not limited to the initial leak. “This incident does not end at the moment of the theft: the data can be combined with other breaches to create extremely detailed profiles of the affected people,” says Suárez. Added to this is the role of artificial intelligence, which, in addition to being used to defend and monitor anomalous access, has also become a tool for attackers.

“With current image and voice generation capabilities, a complete profile of a person can be created and used to steal money or information, even outside their immediate circle,” the company explains. And they warn that the risk is not limited to economic damage, but also affects social trust and the perception of digital security in general.

This incident does not end at the moment of the theft: the data can be combined with other breaches to create profiles of the affected people

The cyberattack on Endesa joins other recent incidents, such as the hacks of Iberia or Telefónica, which show the growing vulnerability of digital infrastructures in a context where large amounts of personal data are concentrated in the hands of a few entities. For i3e, this trend requires urgently reinforcing protection standards and prioritizing investments in cybersecurity capable of anticipating and mitigating illicit access.

Recommendations for those affected

Given the magnitude of the incident, i3e urges citizens to exercise extreme caution in the coming weeks. Suárez recommends distrusting any communication that requests passwords, single-use codes or digital signatures, no matter how legitimate the sender may seem. It is also advisable to verify any information exclusively through official Endesa channels, avoiding access through links included in unsolicited messages.

The company also proposes to regularly review bank transactions and direct debit receipts to detect possible unrecognized charges and activate, whenever possible, alert systems that notify unusual operations. Finally, remember the importance of knowing and exercising data protection rights in the event of any indication of improper use of personal information, turning to the Spanish Data Protection Agency when necessary.

Alex Chen
Alex Chen

Alex Chen serves as the chief editor of Asia Tech Journal, bringing over a decade of experience in technology journalism. Previously writing for several globally renowned publications, Alex is celebrated for his insightful analyses and in-depth reporting on tech trends across Asia. Passionate about innovation, Alex specializes in the dynamic technology ecosystem of China and its global impacts.