A massive leak of personal data has compromised the information of Naturgy clients in Spain. The cybercriminal identified as Spain published an offer on the dark web claiming to have 74.2 GB of information from more than 1.8 million Spanish users of the energy distributor.
Scope and nature of the data exposed
The corporate spokesperson confirmed that the incident would affect approximately 3% of its commercial portfolio. Given that the company manages more than 16 million customers, the estimated volume of affected individuals is close to 480,000 records. The publication includes full names, surnames, DNIS, NIF, email addresses, and bank account numbers. Contractual details such as CUPS codes, physical addresses, contracted products, and internal provider notes have also been made public.
External origin and institutional response
Naturgy clarified that the security breach did not cause a direct failure in its own technological infrastructures. The unauthorized access occurred against a database owned by a third party that stores identifying and financial information. The organization has already informed those affected of the incident and has submitted the corresponding reports to the Spanish Data Protection Agency and the security forces.
"The breach did not occur in our systems but through a third party" - Spokesperson for Naturgy, Energy Company
The action protocols were activated immediately to contain the vulnerability. Technical teams renewed credentials, blocked suspicious access, and executed exhaustive audits on both their own platforms and the servers of the involved provider. It was ruled out that there was a compromise of passwords or access keys to the Client Area.
A recurring modus operandi in the sector
This attack adds to a previous campaign targeting the same sector during the first months of the year. The same cybercriminal actor had managed to infiltrate Endesa's networks, where they appropriated the information of 20 million subscribers. On that occasion, the release of 300,000 files served as pressure to demand a ransom payment from the board of directors.
The authorities maintain open lines of investigation to trace the traceability of these computer movements and guarantee the protection of sensitive data. Those affected receive clear instructions on how to verify the authenticity of future corporate communications and activate prevention mechanisms against possible identity theft attempts directed at their domestic environment.