Iberdrola recently informed its customers about an unauthorized access to personal data of more than 850,000 users, although it is estimated that the actual figure could exceed one million. In an email sent to the affected individuals, the energy company detailed that between May 5th and 7th, one of its suppliers experienced a cyberattack that allowed partial access to sensitive information.
In the statement, Iberdrola assures that the incident was quickly resolved and that the compromised data includes names, surnames, ID numbers, and contact information. However, internal sources suggest that there could be more customers and data involved, including financial information such as bank account numbers.
Iberdrola has taken immediate action upon detecting the attack, neutralizing the threat and reinforcing its security systems to prevent future incidents. Additionally, the company has informed the relevant authorities, including the Spanish Data Protection Agency (AEPD), about the incident.
Despite these efforts, many customers claim they have not received any notification and are unaware if they have been affected by this security breach. Meanwhile, data from over one million records are circulating online for sale, suggesting that the scope of the attack could be greater than officially acknowledged.
This is not the first cyberattack that Iberdrola has experienced. In March 2022, the company had already faced a massive data leak affecting 1.3 million customers. On that occasion, the attackers gained access to names, surnames, ID numbers, phones, and emails. Subsequently, the affected individuals began receiving unsolicited calls and emails, indicating that the stolen information had been sold and exploited.
For the 2022 attack, the AEPD imposed a €6.5 million fine on Iberdrola, one of the largest penalties in the history of the organization. The investigation concluded that Iberdrola had not properly monitored its systems since 2019, labeling the vulnerability as “identifiable and avoidable.”
The recurrence of these incidents underscores the need for Iberdrola and other companies to strengthen their cybersecurity measures. The compromised data in these attacks can be used to launch further attacks, putting the security and privacy of customers at risk. In the meantime, affected users should remain vigilant and take additional steps to protect their personal and financial information.