Once again, the theft of personal data highlights that companies have to work harder to avoid these cyberattacks. Almost a little over two years ago, it became known about the large data leak of more than 1.3 million customers of the electricity and energy company. One of those leaks that users noticed over time when receiving commercial calls with each of their data as an Iberdrola customer. Now, the sanction of the Spanish Data Protection Agency is known.
More than two years ago the news broke: a cyber attack exposed the sensitive data of 1.3 million customers. This was confirmed by the Spanish company: «We have suffered a cyber attack on our information systems. The incident, now remedied, resulted in access to the data of some of our clients.” And after learning of this incident, they continued to receive massive attacks, although these could be stopped at the time.
The data exposed as a result of this attack were: names and surnames, ID, addresses, telephone numbers, client codes and email addresses. Therefore, other data such as banking or consumer information of the company’s different clients was not found.
Sanctions against Iberdrola from the AEPD
The AEPD has published the resolution of the sanctioning procedures against the company Iberdrola, which until now were pending resolution. For this reason, the amounts that the Spanish electricity and gas company will have to face are already known: up to a total of 6.5 million euros.
First of all, they impose on i-DE Eléctricas Inteligentes, SAU, for violating article 5.1.f) of the RGPD in article 83.5 of the RGPD a fine of 2.5 million euros, in addition to another million euros for another violation of the Article 32 of the RGPD, typified in Article 83.4 of the RGPD.
In addition to this, we must add the amounts imposed on Iberdrola of up to 3 million euros after the resolution of other procedures. In the latter case, the fines are 1 million (violation of Article 32 of the RGPD, within Article 83.5 of the RGPD) and 2 million euros (“violation of Article 5.1.f) of the RGPD, typified in Article 83.5 of the RGPD «).
How was the data theft
The theft of this sensitive data from the Spanish company’s clients was due to a vulnerability in the file management system of i-DE’s GEA portal. This is responsible for managing “light connection files for both consumption and production.” Therefore, the problem began in early March two years ago, although it was not detected until the 15th of that month.
So for 7 days they were copying the information of more than 1 million of the company’s clients (the company has a total of more than 20 million users). And it only does not affect Iberdrola customers, but also other marketing companies such as Curenergía.
The AEPD makes its position clear regarding the security measures, since they consider, in short, that the “measures were objectively inadequate as a consequence of the fact that
The attack could indeed have occurred and the security breach took place.” In any case, they consider that the level of damages suffered is high, and all because the theft affected not only 1.35 million customers, but also another 1.6 million users, as explained in file EXP202305587 .
