How secure is our data? The Endesa hack and what Mallorca's customers need to know

How secure is our data? The Endesa hack and what Mallorca's customers need to know

A cyberattack hits Spain's large energy supplier – but the answers remain incomplete

It began with a message from the dark web: a user calling themselves "Spain" offered a large dataset for sale, allegedly more than 20 million records. Shortly afterwards Endesa confirmed that there had been a security incident on its trading platform and that customer data from Energía XXI could be affected. In Palma's street cafés, for example at Plaça Major or in Santa Catalina, I saw people staring at their phones today reading the providers' warnings – a sight that brings the issue down from an abstract IT risk to everyday life.

Key question: How well are the personal data of island residents protected by large corporations, and what is missing in the handling of such incidents?

Critical analysis: The information released so far is specific in some details and vague on responsibility. According to the available data, the dataset includes personal identification information, contact details, addresses, ID numbers, IBAN information as well as contract and billing data. Endesa states that there are currently no indications of misuse. That is reassuring on the one hand – but the statement alone is not sufficient. The central questions remain: Which systems were vulnerable in what way, how long was the gap open, and which internal safeguards failed?

Public discourse has gaps: In conversations with people from local administration and small businesses in Mallorca I often hear the same concerns – people learn too late which data exactly are affected; too rarely is it explained how consumers can assert their rights. For context on regional defence efforts, see Balearic Islands turn to cyber protection — is it enough to really secure the administration? There is also a missing debate about the obligations of large utilities to practice data minimization; local reporting such as Digital Shield for the Balearic Islands: Is the Budget Enough Against Invisible Attackers? discusses the wider funding context. If companies permanently store IBANs and ID numbers, the risk increases dramatically.

An everyday scene: On the way to Palma harbor yesterday, an older woman stood at a meter box while her grandson showed her the email from Endesa on his smartphone. She understood most of it not, but was unsettled: "My account details? Why do they need that?" Encounters like that show that information must be communicated clearly and locally – not just as legalese in English-language emails.

Concrete recommendations for those affected: 1) Stay calm, but act: check recent bank statements and inform your bank immediately about any unusual debits. 2) Be skeptical of unusual emails or messages; never confirm detailed personal information by email. 3) Consider using identity and credit monitoring services or placing a freeze with credit registers. 4) Gather documentation: keep emails and notifications – they will be important later for reports to banks or data protection authorities.

Concrete measures for companies and authorities: 1) Full transparency about the scope and nature of the compromised data – affected customers must be informed clearly and in regionally understandable ways. 2) Forensic investigation by independent experts and the publication of a summary report. 3) Immediate technical measures: encryption of data at rest, segmentation of customer data, regular penetration testing and a strict principle of data minimization. 4) Regulatory steps: the Spanish Data Protection Agency (AEPD) should check whether reporting deadlines were met and whether sanctions or orders are necessary. 5) Expand municipal advisory services on Mallorca so that especially older people receive understandable help.

What we are missing: concrete numbers for our island. How many Energía XXI customers on Mallorca are affected? Which postal codes, which types of contracts? Such local information is currently missing, yet it is crucial so banks, town halls and social services can inform targeted groups.

A practical proposal for Palma: The city administration could, together with consumer protection organizations and local banks, offer a telephone hotline and information points in community centers – analog and digital – to help people who cannot interpret the emails or who have no online access. A simple checklist in Spanish, Catalan and German would ease many fears.

Punchy conclusion: Data leak yes, panic no – but turning a blind eye would be wrong. Endesa has the responsibility to clarify comprehensively and to support those affected in concrete ways. We as island residents should not just trust corporate statements, but monitor our accounts, involve banks and the AEPD if in doubt, and demand local support. An attack on digital records is an attack on everyday life and trust; those who pay their bills on a street corner in Palma deserve clear answers, not reassurances without details. Similar disruptions have hit the island's services before, for example when a cyberattack disrupted flights to Mallorca.