Leader in Cyber Underwriting

Loading...

NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop

WindowsmacOSLinux

Analyze » Endesa » ENDNAT1777732165

Incident Score: Analysis & Impact (ENDNAT1777732165)

The details regarding individual company incidents & reports gives you full view from every side.

Rankiteo Score Impact Analysis

Rankiteo Incident Impact-51

Company Score Before Incident811 / 1000

Company Score After Incident760 / 1000

Company LinkView Endesa Profile

INCIDENT NUMBERENDNAT1777732165

Type of Cyber IncidentBreach

ATTACK VECTORThird-party database compromise

DATA EXPOSEDPersonal and financial information (full...

INCIDENT DATE31/12/2025

STATUSOngoing

Key Highlights From The Incident Analysis

Timeline of Endesa's Breach and lateral movement inside company's environment.
Overview of affected data sets, including SSNs and PHI, and why they materially increase incident severity.
How Rankiteo’s incident engine converts technical details into a normalized incident score.
How this cyber incident impacts Endesa Rankiteo cyber scoring and cyber rating.
Rankiteo’s MITRE ATT&CK correlation analysis for this incident, with associated confidence level.

Full Incident Analysis Transcript

In this Rankiteo incident briefing, we review the Endesa breach identified under incident ID ENDNAT1777732165.

The analysis begins with a detailed overview of Endesa's information like the linkedin page: https://www.linkedin.com/company/endesa, the number of followers: 328462, the industry type: Utilities and the number of employees: 7444 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 811 and after the incident was 760 with a difference of -51 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Endesa and their customers.

Naturgy recently reported "Naturgy Data Breach Exposes Personal and Financial Information of Nearly Half a Million Spanish Customers", a noteworthy cybersecurity incident.

A significant data breach has compromised the personal and financial details of Naturgy clients in Spain, with cybercriminals offering 74.2 GB of stolen data allegedly belonging to over 1.8 million users on the dark web.

The disruption is felt across the environment, affecting Third-party database storing customer information, and exposing Personal and financial information (full names, national IDs, email addresses, bank account details, contractual information), with nearly 480,000 (confirmed), 1.8 million (alleged) records at risk.

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like Renewing credentials, blocking unauthorized access, conducting audits on platforms and third-party servers, and stakeholders are being briefed through Notified impacted individuals, advised on verifying corporate communications.

The case underscores how Ongoing, teams are taking away lessons such as Third-party risk management is critical; need for enhanced monitoring and audits of third-party vendors, and recommending next steps like Strengthen third-party security assessments, implement stricter access controls, enhance customer communication protocols, and improve dark web monitoring for stolen data, with advisories going out to stakeholders covering Affected customers advised to verify corporate communications to mitigate identity theft risks.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

MITRE ATT&CK® Correlation Analysis

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Supply Chain Compromise (T1195) with high confidence (90%), supported by evidence indicating breach did not originate from its own systems but from a third-party database and Trusted Relationship (T1199) with moderate to high confidence (80%), supported by evidence indicating third-party database storing sensitive customer information. Under the Credential Access tactic, the analysis identified Cloud Instance Metadata API (T1552.005) with moderate confidence (50%), supported by evidence indicating third-party database compromise may involve cloud-stored credentials. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), supported by evidence indicating 74.2 GB of stolen data includes full names, national IDs, bank details and Data from Information Repositories (T1213) with high confidence (90%), supported by evidence indicating third-party database storing customer information compromised. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with moderate to high confidence (80%), supported by evidence indicating 74.2 GB of data offered on the dark web and Exfiltration Over Web Service (T1567) with moderate to high confidence (70%), supported by evidence indicating data exfiltration for potential ransom or sale on dark web. Under the Impact tactic, the analysis identified Data Destruction (T1485) with lower confidence (30%), supported by evidence indicating potential reputational damage due to exposure of sensitive data and Data Manipulation: Transmitted Data Manipulation (T1565.002) with lower confidence (40%), supported by evidence indicating high risk of identity theft and payment fraud for affected customers. Under the Defense Evasion tactic, the analysis identified Valid Accounts (T1078) with moderate to high confidence (70%), supported by evidence indicating third-party database compromise suggests valid account misuse and Install Root Certificate (T1553.004) with lower confidence (40%), supported by evidence indicating blocking unauthorized access and renewing credentials. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.

Initial Access

Supply Chain Compromise (90%)

Trusted Relationship (80%)

Credential Access

Cloud Instance Metadata API (50%)

Collection

Data from Local System (90%)

Data from Information Repositories (90%)

Exfiltration

Exfiltration Over C2 Channel (80%)

Exfiltration Over Web Service (70%)

Impact

Data Destruction (30%)

Data Manipulation: Transmitted Data Manipulation (40%)

Defense Evasion

Valid Accounts (70%)

Install Root Certificate (40%)

Sources & References

Endesa Rankiteo Cyber Incident Details: https://www.rankiteo.com/company/endesa/incident/ENDNAT1777732165
Endesa CyberSecurity Rating page: https://www.rankiteo.com/company/endesa
Endesa Rankiteo Cyber Incident Blog Article: https://blog.rankiteo.com/endnat1777732165-endesa-naturgy-breach-january-2026/
Endesa CyberSecurity Score History: https://www.rankiteo.com/company/endesa/history
Endesa CyberSecurity Incident Source: https://www.apd.cat/en/data-protection/naturgy-74-2-gb-of-data-on-the-dark-web-affect-3-of-its-portfolio-close-to-480-000-records_9680_102.html
Rankiteo A.I CyberSecurity Rating methodology: https://www.rankiteo.com/Images/rankiteo_algo.pdf
Rankiteo TPRM Scoring methodology: https://static.rankiteo.com/model/rankiteo_tprm_methodology.pdf