Naturgy communicated on May 11 a security breach after unauthorized access to the systems of an external provider that managed customer data. The company has notified the Spanish Data Protection Agency, the competent authorities, and potentially affected users, and has activated its response protocol.
The incident did not directly hit the company's internal systems, but it affects approximately 3% of customers in Spain and could compromise identifying, contractual, and banking data. The paradox of the case is that the intrusion occurred outside Naturgy's own infrastructure, although the scope of the exposed information falls on its customers.
The leak exposed banking data without compromising access credentials
The company maintains that unauthorized access was limited to the technological environment of an external provider. Identification data, contract information, and banking data could have been exposed in that breach, although Naturgy specifies that access credentials have not been leaked.
On May 11, 2026, Naturgy notified the breach.
That difference conditions the immediate risk for those affected. The absence of credentials reduces the possibility of direct access to user accounts, but the combination of personal and banking data opens the door to more selective frauds through messages, calls, or emails that appear to come from the company or a financial entity.
The OCU reminds that the bank must refund a fraudulent charge
The Organization of Consumers and Users warns that, in the weeks following the incident, customers may receive personalized identity theft attempts. The objective of these contacts is usually to obtain more sensitive information or to get the user to validate a fraudulent operation.
The leak affects about 3% of customers in Spain.
In that scenario, the OCU recalls that a payment derived from fraud linked to the leak is not considered authorized. If that charge occurs, the bank must refund the money to the customer.
In addition to communicating the breach quickly, companies are obligated to protect personal data and adopt preventive measures. If they do not comply with these obligations, they may be held liable for incident management and for the protection of compromised information.
Among the potentially compromised data are identifying, contractual, and banking information of Naturgy clients in Spain.