A threat actor operating under the handle "spain" has listed an alleged 109.79 GB Iberdrola customer database for sale on an underground forum, claiming the trove contains records on roughly 7 million customers of the Spanish energy giant. The listing was observed on June 1, 2026 and reported by Dark Web Informer on June 2, 2026. Iberdrola has not publicly addressed the claim, and the dataset remains unverified.
What Happened
On June 1, 2026, a forum user posting under the alias "spain" advertised a sample and full column listing of what they describe as Iberdrola's customer database, attributing the underlying intrusion to an actor known as "RP." Buyers are being directed to a Telegram contact, with escrow offered to vet the transaction. The seller pegs the dataset at 109.79 GB and approximately 7 million customer records, positioning it as one of the larger Spanish utility-sector listings observed in 2026. No price floor has been disclosed publicly; negotiations are happening off-forum.
What Was Taken
According to the seller's advertisement, the dataset allegedly includes:
- 7 million plus customer records totaling roughly 110 GB
- Customer names and internal account identifiers
- IBAN bank account numbers
- Spanish national identifiers (DNI, NIF, CIF)
- Email addresses and phone numbers
- Postal addresses including city, province, and ZIP
- Tariff details, contract terms, and contracted power (potencia) values
- Billing histories and purchase totals
- Supply-point identifiers (CUPS codes)
- Customer photographs and call recordings
If accurate, the combination of financial identifiers (IBAN), government identifiers (DNI/NIF/CIF), and supply-point metadata (CUPS) represents a uniquely toxic blend for downstream abuse in the Spanish market.
Why It Matters
Iberdrola is one of the largest electric utilities in Europe and serves a substantial share of Spain's residential and commercial electricity market. A breach at the claimed scale would touch a meaningful percentage of the Spanish population, putting national identifiers and direct-debit banking details into criminal circulation. The presence of CUPS codes and tariff data is particularly dangerous: those fields allow attackers to mount highly convincing utility-themed phishing and vishing campaigns, including fake billing disputes, fraudulent supplier-switch requests, and energy-subsidy scams targeting vulnerable customers. The inclusion of call recordings and customer photos, if real, also opens the door to deepfake-assisted social engineering against both the customers themselves and the call-center agents who serve them.
The listing also fits a broader 2026 pattern of high-volume customer databases tied to Iberian and Latin American consumer brands being trafficked through Telegram-mediated escrow rather than traditional forum auctions, complicating takedown and attribution work.
The Attack Technique
The seller credits the intrusion to an actor referenced only as "RP" and has not disclosed initial access vectors, dwell time, or the systems from which the data was exfiltrated. The breadth of fields, spanning CRM-style identity data, billing systems, supply-point telemetry, and call-center artifacts such as recordings and photos, suggests access to multiple back-end systems or to a consolidated data warehouse or analytics environment rather than a single application database. No exploited CVE, third-party vendor compromise, or insider-access claim has been advanced publicly. As with all unverified listings, defenders should treat the technique attribution as speculative until corroborating evidence emerges.
What Organizations Should Do
- Spanish energy and utility operators should hunt for unusual bulk reads against customer, billing, and CUPS-linked datastores over the past 90 days, and review service-account behavior in data-warehouse and BI tooling.
- Iberdrola customers and Spanish financial institutions should pre-position controls for IBAN-based direct-debit fraud, including elevated monitoring for mandate changes and unfamiliar SEPA pulls from accounts tied to leaked identifiers.
- Treat any inbound communication referencing a customer's CUPS code, tariff, or contracted power as potentially attacker-driven, and remind agents that knowledge of those fields is no longer proof of identity.
- Refresh phishing simulations and customer-facing warnings to cover utility-themed lures in Spanish, including fake refund, supplier-switch, and bono social scams.
- Validate that call-recording archives, customer-photo stores, and analytics exports are scoped behind least-privilege access, with egress monitoring on large object reads.
- Coordinate with AEPD and INCIBE-CERT for guidance and, where applicable, breach-notification obligations under GDPR Article 33 if internal investigation confirms exposure.
Sources: Threat Actor Claims to Sell a 110 GB Iberdrola Customer Database Affecting 7 Million Customers