Endesa hit with record-breaking fine for massive data breach

The AEPD report reveals shocking exposure of customer information

The Spanish Data Protection Agency (AEPD) has imposed its second highest sanction, to the company Endesa, with a staggering fine of 6.1 million euros. This penalty arises from a serious breach of data protection that exposed sensitive information of millions of customers. According to the AEPD report, personal data of 4.8 million electricity and 1.2 million gas customers of Endesa were exposed to unauthorized third parties. Additionally, there was identified access to technical data of 30.6 million electricity supply points and 8.6 million gas supply points, including confidential information such as names, ID numbers, phone numbers, emails, addresses, bank account numbers, CUPS (supply point code), consumption, billing, and debts.

Endesa identified the vulnerability in August 2021, stemming from the exposure of access keys on Facebook for its Sales Folder platform. Despite this discovery, the company failed to take immediate action or notify relevant authorities. Notably, in August 2021, multiple Facebook ads were discovered, advertising the sale of credentials to access Endesa's platform, containing customer data. Further ads, similar in nature, were found on January 17, 2022, advertising the sale of energy and gas customer databases. It wasn't until February 8, 2022, that Endesa matched these ads with its CRM system. These ads offered batches of databases containing information on tens of thousands to hundreds of thousands of customers, including personal details such as names, IDs, addresses, and contact numbers.

Endesa estimates that around a thousand people's data was compromised by an employee misusing privileges. These customers won't be notified as their rights and freedoms aren't deemed at high risk. Endesa reset passwords for affected users, disabled simultaneous platform sessions, and requested the removal of Facebook ads selling user data. On April 1, 2022, affected parties were alerted to possible unauthorized access to Endesa Energía's commercial systems.

The AEPD points out that Endesa's conduct has been seriously negligent insofar as it took months to reset or delete compromised users, allowing access to personal data in Endesa's systems for months and fraudulent user registrations. Likewise, it considers that the data of up to 6.5 million customers were available for consultation by third parties unrelated to the company. In conclusion, the AEPD resolves the imposition of five fines totaling 6.1 million euros for different infringements of articles 5 (Principles relating to processing of personal data) , 32 (Security of processing) 33, 34 (Notification of a personal data breach to the supervisory authority and to the data subject) and 44 (Principle for data transfers) of the General Data Protection Regulation (GDPR).

Authors: Cristina Grande, Counsel; Carmen Gordillo, Associate