logo

The AEPD sanctions Endesa for exposing data of more than 4.8 million customers

LetsLaw / Digital Law  / The AEPD sanctions Endesa for exposing data of more than 4.8 million customers
The AEPD sanctions Endesa for exposing data of more than 4.8 million customers

The AEPD sanctions Endesa for exposing data of more than 4.8 million customers

On January 26, the sanction imposed by the Spanish Data Protection Agency (AEPD) on Endesa was published in the Official State Gazette. The imposed sanction amounts to a historic fine of 6.1 million euros against the Spanish electric company for failing to adopt the necessary security measures to protect the privacy of its customers.

AEPD Sanction against Endesa: Background and Causes

The background dates back to June 2020 when Endesa entered into a contract to market its products and services through various commercial actions with Company XXX. Subsequently, this provider subcontracted Company YYY in March 2021 for the “intermediation activity in customer registrations for Endesa through commercial prospecting phone calls using Endesa’s databases.”

In August 2021, certain Facebook ads were detected announcing “the rental of a system to obtain energy and gas supply points with just the customer’s address.” The users behind these ads turned out to be employees of Company YYY. Upon confirming the unauthorized sale of Endesa’s CRM databases, including credentials to access the energy and gas customer tool, the sales campaign was suspended, and Endesa applied the necessary measures.

However, in February 2022, over 100 sales operations were again detected, affected by identity theft, as the phone numbers and confirmation call recordings did not match the contracted customer. Consequently, Endesa initiated the Security Breach Management Protocol.

AEPD Investigation

Thanks to investigations carried out by both the AEPD and the General Subdirectorate of Data Inspection (SGID), a total of 440 ads were identified on the Facebook social network until September 2022. These ads offered the rental and/or sale of access credentials to Endesa’s tool.

It was determined that the data theft carried out in the fraudulent data sale was intended for conducting commercial calls through prospecting, advisory, and customer service tasks. Specifically, it was determined that the approximate volume of customer credentials that could be accessed was 4.8 million electricity customers and 1.2 million gas customers.

The fraudulent practice carried out by Company YYY operated in three different ways:

Firstly, for customers with whom they closed the sale of a product and formalized it through an SMS response, it was observed that the phone number used to send the customer the sales confirmation SMS coincided with another phone number used for the same purpose for another customer, suggesting that the titular customer may not have accepted the contract.

Secondly, they contracted services for customers using access data they had from the Endesa platform and attached call recordings from other customers as evidence of the contract.

Lastly, for users who wanted to contract a service but did not want to read lengthy contract texts, they simulated sales and contract verification via SMS with different customers.

These users who “contracted” Endesa’s services through the subcontracted Company YYY had a user in Company XXX’s CRM. In that CRM, the necessary data for contracting by the customer, call recording, legal texts, customer consent to the commercial offer, and the contract for the offered products and services were loaded, along with the certificate generated with the sales confirmation via SMS.

Violation and fine

Finally, the Director of the AEPD published the Resolution of the sanctioning procedure against Endesa for violations of:

  • Article 5.1.f) of the GDPR, classified under Article 83.5 of said regulation, an administrative fine of 2,500,000.00 euros.
  • Article 32 of the GDPR, classified under Article 83.4 of said regulation, an administrative fine of 1,500,000.00 euros.
  • Article 33 of the GDPR, classified under Article 83.4 of said regulation, an administrative fine of 800,000.00 euros.
  • Article 34 of the GDPR, classified under Article 83.4 of said regulation, an administrative fine of 800,000.00 euros.
  • Article 44 of the GDPR, classified under Article 83.5 of said regulation, an administrative fine of 2,000,000.00 euros.

The AEPD argued in the sanctioning procedure that Endesa did not implement adequate security measures from the beginning of the violation of personal data security to mitigate the consequences.

This included failure to promptly block access by compromised users to Endesa’s tools, the absence of a multifactor user authentication system, a system preventing a user from having multiple sessions open simultaneously, and failure to immediately deactivate or reset users with even the slightest suspicion of compromise, as well as a system allowing traceability of the activity performed by said users, among other possible measures.

At Letslaw we are digital lawyers and we offer advice on data protection, do not hesitate to contact us.

Contact Us

    By clicking on "Send" you accept our Privacy Policy - + Info

    I agree to receive outlined commercial communications from LETSLAW, S.L. in accordance with the provisions of our Privacy Policy - + Info