A possible security breach in Zirconite de Negocios, authorized commercial partner of Iberdrola, would have left exposed about 153,000 records of electricity and gas contracts managed by this company in several territories, among them Cataluña.
The leak would have been disseminated by an attacker who identifies as _py on a cybercriminal forum. The shared material corresponds to contracts processed by this commercial collaborator, who operates in Catalonia, Aragon, Balearic Islands, Canary Islands and the central zone.
Personal and contractual data exposed
Among the information allegedly compromised are full names and surnames, NIF or CIF of the contract holder, DNI of the signatory, email addresses, phone numbers, and location data.
The leak also includes CUPS codes, the contracted tariff, the type of contract, the electrical power and different economic indicators of buying and selling. To this are added references to bank accounts used for direct debit payments, an especially sensitive point due to the volume and nature of the affected data.
Commercial information and indications of more documentation
The exposed records are not limited to the client's identifying data. They also incorporate details of the commercial operation, such as the sales channel, the managing agent, call comments, and references to internal systems identified as refintranet and empresa_saintranet.
Furthermore, there are indicators of the possible presence of attached documents linked to those files. Among them would appear contracts in PDF, recordings of verification calls and photographs, although the exact scope of that material has not been revealed nor how many files could have been compromised.
Without official confirmation for now
Neither Iberdrola nor Zirconite de Negocios have publicly confirmed the incident. Nor have they made statements about the scope of the alleged breach, the origin of the unauthorized access, or the possible measures adopted after the publication of the data.
The exposure affects commercial and personal information of special sensitivity and reaches clients managed by a collaborator with activity in several communities. Awaiting an official communication, the case is marked by the lack of corporate confirmation and by the volume of records allegedly disseminated in environments linked to cybercrime.