Hacker attack on Endesa: What Mallorca customers should know and do now

Hacker attack on Endesa: What Mallorca customers should know and do now

Main question: How great is the risk for people on the island — and what remains unclear?

On January 13, 2026, Endesa reported that unknown actors gained access to the Endesa Energía platform and stole personal data of more than 20 million customers. Affected information includes ID details, contact information and bank account data; according to the statement, passwords were not taken. Endesa informed customers by e‑mail and provides the phone number 800 760 366 for those affected.

That sounds abstract, that sounds large. But on Mallorca many people have exactly these data in their phone contacts, on invoices or in contracts: owners of holiday apartments in Portixol, a restaurant operator in the Born, elderly residents at the Plaça de l'Església. For them this is not a headline but the question whether transfers will appear in the coming weeks, strange debits occur or identity misuse takes place; similar cases of identity abuse are documented in When the padrón lies: Identity theft in Mallorca and the system's vulnerabilities.

Critical analysis: The figure of 20 million sounds alarming, but it says little about the actual danger to individual people. Are they predominantly private households, business accounts, foreign addresses? Were German citizens, residents living here or short-term electricity customers for holiday rentals particularly affected? Without clarity about the composition of the dataset, assessment remains vague.

The claim that passwords were not accessed is also no free pass. Bank details plus name and ID information are enough, in the case of poorly protected banks or via social engineering, to cause serious harm. Many people on Mallorca manage banking online or authorize payments by SEPA direct debit — an attractive target for fraudsters.

What is missing from the public discourse: thorough transparency from the energy provider and the authorities, even as the region invests in new cyber defenses (see Balearic Islands turn to cyber protection — is it enough to really secure the administration?). Customers need information about exactly which records are affected, how long access lasted and which protective measures Endesa has already implemented. A simple e‑mail is not enough if follow‑up information is missing or only contains general wording.

At the local level the connection to banks and consumer protection agencies is also lacking. On Mallorca we often see that problems first surface in classifieds or in cafés on Avinguda Jaume III long before official bodies act. That must change: fast warning chains between the supplier, banks and the local police would be useful.

Everyday scene on the island: On a cool morning at the Mercat de l’Olivar, between orange stalls and the smell of freshly fried fish, neighbors talk about collecting paper bills and not knowing where their data are stored online. A taxi driver from Palma mentions that many of his regular customers for holiday properties use the same e‑mail address — an entry point if that address is compromised; travelers and hosts should note warnings such as Don't Let Your ID Be Copied: What Mallorca Travelers Should Know at Check‑in.

Concrete steps for those affected on Mallorca (practical and without panic): 1) Check your bank transactions from the past weeks and report any irregularities to your bank immediately. 2) Contact Endesa using the number 800 760 366 and demand confirmation of which data from your customer account were affected. 3) Block cards if you suspect misuse or arrange monitoring services with your bank. 4) Report the incident to the local police station if money is missing and consider filing a complaint with the Spanish Data Protection Agency (AEPD). 5) Warn relatives: elderly people on the island are particularly vulnerable to phone scams and bogus payment requests.

Technical and organizational measures: Endesa must disclose the forensic analysis (keywords: scope, entry point, timeframe), proactively inform customers about concrete risk elements and expand partnerships with banks and data protection authorities. For consumers: two‑factor authentication, individual e‑mail addresses for sensitive accounts and regularly reconciling invoices are imperfect but effective barriers.

What local authorities should provide: official information sheets in multiple languages, clear contact points in town halls (ajuntaments) and a coordinated hotline on Mallorca to refer those affected to banks and consumer protection organizations. The island lives from tourism — many short‑term customer details are tied to energy contracts for holiday properties. Standardized processes are needed so hosts are not left in the dark.

Another blind spot: the question of possible data trading. Stolen datasets often appear first in dark channels, sold in batches. The longer companies remain opaque, the greater the chance that the information has already been circulated. For those affected this means: increase your control over accounts, enable account notifications and check credit reports where possible for your country of residence.

Short‑term recommendations for companies on Mallorca: Check whether customer data from energy bills appear duplicated in your customer database, further restrict internal access rights and inform employees about social engineering risks — many attacks begin outside technically protected areas, namely in phone calls to an alleged hotline.

Concise conclusion: The leak at Endesa is not an abstract risk but a tangible problem for individual households and small businesses on Mallorca. Transparency from the supplier, practical help from banks and clear local information offers are now necessary. Those who stay calm, immediately check their accounts and use the provided contact channels reduce the risk most effectively.

If you are affected: note every step, document phone calls, demand written confirmations — and stay vigilant. On an island where neighbors share information and news spreads quickly, caution is right now the best neighborhood help.