Hoplon InfoSec
15 Jun, 2025
“They had my name, my ID number… and they used it to scam me.” That’s how a hacked Iberdrola customer in Madrid described a wave of phishing texts that followed the power company’s breach. If a trusted electricity provider can be compromised, it makes you wonder; who’s really safe?
At Iberdrola Group Data Breach, On May 5–7, 2024, hackers infiltrated a database run by one of Iberdrola’s external vendors. Over 850,000 customers had their full names, ID numbers (DNI), and contact info exposed. The data was about 1.5 GB in total. Which was already listed for sale on dark web forums when security teams discovered about the breach.
Iberdrola relies on several third-party systems to manage its regulated and free-market customer data. In this case, attackers exploited vulnerabilities in the supplier’s system, bypassing security controls to export a bulk of customer records. The mistake? Insufficient vendor oversight and patching protocols allowed access from May 5, when logs show the first queries, until May 7, when the supplier spotted suspicious activity.
Inside that database were Spanish customers from two segments: 600,000 “Clientes” free-market clients and 250,000 Curenergía regulated-market accounts. Though no financial or password data was taken, the stolen details are prime ammunition for phishing: hackers can now craft messages that appear to come directly from Iberdrola.
How Big Was the Damage?
Who Was Behind It?
No hacker group has officially claimed responsibility yet, and no arrests have been made. But cybercrime gangs often specialize in bulk personal data theft for sale or phishing campaigns. The attack’s stealth suggests a well-structured operation. Some experts suspect a link to networks active in earlier Iberdrola or utility intrusions, although nothing is confirmed.
How Individuals Can Be Targeted
With full names and DNI, these customers are now prime targets for:
How to Detect & Respond
Lessons Learned
Final Thoughts
When a trusted energy giant is breached, people feel vulnerable. This incident highlights that your personal info is only as secure as the systems that hold it—including those you never see. For readers, the takeaway is clear: stay vigilant, verify every contact, and demand strong data protections from your providers.
Share this :