Hacker attack on Endesa: Who protects my data — and how?

Hacker attack on Endesa: Who protects my data — and how?

Leading question

When an energy provider loses identity documents, contact details and bank details of more than 20 million people: Is an email to those affected sufficient? Or do we need clearer rules, better controls and above all more practical help in Mallorca and elsewhere?

It starts with a sober report: Endesa informed customers by email that unknown parties gained access to its platform and stole sensitive data. According to the company, passwords were not taken; so far there is no official evidence of misuse. These facts are enough — and yet they cause unrest. At the Mercado del Olivar you can hear the conversation: “Did you get the email too?” says a woman with a shopping bag. A moped passes by, a vendor calls out prices; and suddenly the issue is right in the middle of everyday life.

Critical analysis

The incident reveals several problems at once. First: the sheer number of affected people shows how great the risk is when a central service provider is compromised. Second: communication by email is necessary but often too technical and too brief. Third: the statement that passwords were not stolen sounds reassuring — but it does not guarantee that there will be no follow-up damages, for example through access to bank data or identity theft.

Technically, several factors come together: outdated interfaces, insufficient segmentation of databases, a lack of multi-layer monitoring and sometimes employee phishing as an entry point. On the regulatory level one must not forget: under the General Data Protection Regulation (GDPR) incidents must be reported quickly — but reporting is only a first step, not a solution for those affected.

What is missing in the public debate

The debate often focuses on assigning blame and questions of culpability. Less visible are the concrete consequences in everyday life: How does the property management react if bank statements are suddenly debited? What happens to rental deposits? How should small businesses in Mallorca that bill through Endesa check their accounting? And who covers real costs when third parties use stolen data to initiate transfers?

Everyday scene from Mallorca

Imagine the Plaça Major on a January morning: market women sort oranges, tourists take photos, an older man reads the newspaper and shakes his head. For many here, email is not an abstract construct but the gateway to bills, contracts and authorities (see Don't Let Your ID Be Copied: What Mallorca Travelers Should Know at Check‑in). When the email says “we have informed you,” for others this means long phone waiting lines with call centers, piles of paperwork and visits to the bank on Calle Sant Miquel.

Concrete approaches to solutions

For consumers (immediately implementable): 1) closely check account statements and debits for the next three months; 2) inform the bank of the incident immediately and request releases/stops for account movements; 3) report suspicious debits to the Policía Nacional and keep copies; 4) watch out for phishing: never click links in suspicious emails, instead go directly to your trusted online banking site or visit the bank branch; 5) if unsure, arrange to block the account or set limits for online transfers; 6) consider identity theft monitoring.

For Endesa (short and medium term): 1) full transparency about the scope, timing and nature of the access, ideally confirmed by an independent forensic investigation; 2) a telephone support offer for those affected with clear contact points in Mallorca; 3) free identity protection services and bank monitoring for affected customers; 4) technical measures: segmentation of sensitive data, end-to-end encryption, regular penetration testing.

For politicians and authorities: 1) order nationwide audits of critical infrastructures, as discussed in Digital Shield for the Balearic Islands: Is the Budget Enough Against Invisible Attackers?; 2) require faster reporting chains and concrete support services for consumers, and build on recent investments described in Balearic Islands turn to cyber protection — is it enough to really secure the administration?; 3) tougher sanctions for proven neglect of security standards; 4) promote awareness programs — e.g. in town halls, municipal administrations and markets.

Concise conclusion

An email notice alone is not enough. It is not just about technical defense, but about transparent help and reliable processes so that the man on the Plaça Major does not suddenly fail to pay his rent because his banking data were misused. In Mallorca data security also means social stability: electricity bills, bank accounts and daily life are closely linked. Whoever wants to disrupt that must take concrete action — municipalities, companies and regulators together.

For everyone checking their mail this morning: stay alert, report anything suspicious immediately, and if the hotline only offers hold music — be persistent. Data are more than numbers; they are doors to our everyday lives. And those doors deserve better protection.