Spanish energy provider Endesa and its regulated electricity operator Energía XXI have begun notifying customers after detecting unauthorized access to the company’s internal systems, resulting in the exposure of personal and contract-related data. The Endesa data breach incident, publicly disclosed by the company, impacts customers linked to Endesa’s commercial platform and is currently under investigation. Endesa, Spain’s largest electric utility company and a subsidiary of the Enel Group, provides electricity and gas services to millions customers across Spain and Portugal. In total, the company reports serving approximately 22 million clients. The Endesa data breach specifically affects customers of Energía XXI, which operates under Spain’s regulated energy market.

Unauthorized Access Detected on Commercial Platform

According to Endesa, the security incident involved unauthorized and illegitimate access to its commercial platform, enabling attackers to view sensitive customer information tied to energy contracts. In a notification sent to affected customers, the company acknowledged the Endesa data breach, stating: “Despite the security measures implemented by this company, we have detected evidence of unauthorized and illegitimate access to certain personal data of our customers related to their energy contracts, including yours.” The company clarified that while account passwords were not compromised, other categories of data were potentially accessed during the incident. [caption id="attachment_108537" align="aligncenter" width="823"] Image Source: X[/caption]

Types of Data Potentially Exposed in Endesa Data Breach

Based on the ongoing investigation, Endesa confirmed that attackers may have accessed or exfiltrated the following information:

• Basic identification data
• Contact information
• National identity card numbers
• Contract-related data
• Possible payment details, including IBANs

Despite the scope of exposed data, Endesa emphasized that login credentials remained secure, reducing the likelihood of direct account takeovers.

Endesa Activates Incident Response Measures

Following detection of the Endesa data breach, the company activated its established security response protocols to contain and mitigate the incident. In its official statement, Endesa detailed the actions taken: “As soon as Endesa Energía became aware of the incident, the established security protocols and procedures were activated, along with all necessary technical and organizational measures to contain it, mitigate its effects, and prevent its recurrence.” These actions included blocking compromised internal accounts, analyzing log records, notifying affected customers, and implementing enhanced monitoring to detect further suspicious activity. The company confirmed that operations and services remain unaffected.

Authorities Notified as Investigation Continues

As required under applicable regulations, Endesa notified the Spanish Data Protection Agency and other relevant authorities after conducting an initial assessment of the incident. The company stated that the investigation is ongoing, involving both internal teams and external suppliers, to fully understand the cause and impact of the breach. Addressing customer concerns, Endesa noted: “As of the date of this communication, there is no evidence of any fraudulent use of the data affected by the incident, making it unlikely that a high-risk impact on your rights and freedoms will materialize.”

Customers Warned of Potential Phishing and Impersonation Risks

While no misuse of data has been identified so far, Endesa acknowledged potential risks associated with the exposed information. Customers have been urged to remain vigilant against identity impersonation, data misuse, phishing attempts, and spam campaigns. The company advised affected individuals to report any suspicious communications to its call center and to avoid sharing personal or sensitive information with unknown parties. Customers were also encouraged to contact law enforcement in case of suspected fraudulent activity. The Cyber Express Team has contacted Energía XXI and Endesa seeking further clarification on the incident and its impact. However, at the time of publication, no additional response had been received from either entity.

The European Space Agency (ESA) has confirmed a cybersecurity breach involving servers located outside its corporate network. This confirmation comes following threat actor claim that they had compromised ESA systems and stolen a large volume of internal data. While ESA maintains that only unclassified information was affected. In an official statement shared on social media, the European Space Agency said it is aware of the cybersecurity issue and has already launched a forensic security investigation, which remains ongoing. According to ESA, preliminary findings indicate that only a very small number of external servers were impacted. “These servers support unclassified collaborative engineering activities within the scientific community,” ESA stated, emphasizing that the affected infrastructure does not belong to its internal corporate network. The agency added that containment measures have been implemented to secure potentially affected devices and that all relevant stakeholders have been informed. [caption id="attachment_108221" align="aligncenter" width="620"] Source: ESA Twitter Handle[/caption] ESA said it will provide further updates as additional details become available.

Threat Actor Claims Data Theft

The confirmation follows claims posted on BreachForums and DarkForums, where a hacker using the alias “888” alleges responsibility for the cybersecurity breach. According to the posts, the attack occurred on December 18, 2025, and resulted in the full exfiltration of internal ESA development assets. The threat actor claims to have stolen over 200 GB of data, including private Bitbucket repositories, source code, CI/CD pipelines, API tokens, access tokens, configuration files, Terraform files, SQL files, confidential documents, and hardcoded credentials. “I’ve been connecting to some of their services for about a week now and have stolen over 200GB of data, including dumping all their private Bitbucket repositories,” the actor wrote in one forum post. The stolen data is reportedly being offered as a one-time sale, with payment requested exclusively in Monero (XMR), a cryptocurrency commonly associated with underground cybercrime marketplaces. [caption id="attachment_108222" align="aligncenter" width="832"] Source: Data Breach Fourm[/caption] ESA has not verified the authenticity or scope of the claims made by the threat actor. So far, ESA has not disclosed which specific external servers were compromised or whether any credentials or development assets referenced by the threat actor were confirmed to be exposed. Founded 50 years ago and headquartered in Paris, the European Space Agency is an intergovernmental organization that coordinates space activities across 23 member states. Given ESA’s role in space exploration, satellite systems, and scientific research, cybersecurity incidents involving the agency carry heightened strategic and reputational significance.

Previous European Space Agency Cybersecurity Incidents 

This is not the first cybersecurity breach involving ESA in recent years. In December 2024, the agency’s official web shop was compromised after attackers injected malicious JavaScript code designed to steal customer information and payment card data during checkout. That incident raised concerns around third-party systems and external-facing infrastructure, an issue that appears relevant again in the current breach involving non-corporate servers.

What Happens Next

While ESA insists the compromised systems hosted only unclassified data, the ongoing forensic investigation will be critical in determining the true scope and impact of the breach. As threat actors continue to publish claims on hacking forums, the incident highlights the growing cybersecurity risks facing large scientific and governmental organizations that rely heavily on collaborative and distributed digital environments. ESA has said further updates will be shared once more information becomes available.