153,000 Electricity and Gas Contracts Exposed in Breach Linked to Iberdrola Partner

What happened

A threat actor identified as _py has published approximately 153,000 records of electricity and gas contracts on a cybercriminal forum, allegedly obtained from Zirconite de Negocios, an authorized commercial partner of Spanish energy giant Iberdrola. The leaked material relates to contracts processed by Zirconite across several Spanish territories including Catalonia, Aragon, the Balearic Islands, the Canary Islands, and the central zone.

The allegedly exposed data is extensive and spans multiple sensitive categories: full names, NIF and CIF tax identification numbers, DNI signatory identifiers, email addresses, phone numbers, location data, CUPS energy supply point codes, contracted tariffs, contract types, electrical power details, and economic indicators. Bank account references used for direct debit payments are also included in the exposed records. Commercial metadata is present as well, including sales channel details, managing agent information, call comments, and references to internal systems.

There are also indicators of attached documents linked to the records, potentially including PDF contracts, verification call recordings, and photographs, though the exact scope of that material has not been confirmed. Neither Iberdrola nor Zirconite de Negocios had publicly confirmed the incident or made any statement about its origin, scope, or remediation steps at the time of publication.

Who is affected

Approximately 153,000 customers whose electricity and gas contracts were managed by Zirconite de Negocios face potential exposure of personal, financial, and contractual information. The inclusion of bank account details used for direct debit payments is the most immediately sensitive element, given the direct fraud risk that creates for affected individuals.

Why CISOs should care

This incident illustrates a risk that energy and utilities companies face through their commercial partner networks. Iberdrola’s own systems may be entirely unaffected, but its customers’ data was exposed through a third-party commercial agent operating with access to sensitive contract and payment information. The breach, if confirmed, did not require compromising the primary utility provider at all.

For security leaders in regulated industries that rely on authorized commercial partners, distributors, or sales agents to handle customer contracts and payment data, this case is a concrete example of how third-party data handling creates material regulatory and reputational exposure regardless of where the breach occurred.

3 practical actions

1. Audit data access rights granted to commercial partners and authorized agents: Review what customer data, including financial identifiers and payment references, is accessible to third-party sales and contract management partners, and apply least-privilege principles to limit exposure to only what is operationally necessary.
2. Include commercial partners in your third-party data breach response procedures: If a partner holding your customers’ data is breached, your organization faces regulatory notification obligations under GDPR regardless of whether your own systems were touched. Confirm that your incident response plans cover partner breaches and define escalation paths for unconfirmed but publicly reported incidents.
3. Monitor cybercriminal forums for unauthorized data listings involving your organization or its partners: The Iberdrola partner breach surfaced on a criminal forum before any corporate confirmation. Proactive dark web monitoring that includes partner names and data signatures can provide earlier warning and more time to assess exposure before customers and regulators are affected.

Also in the news today:

• China-Linked APT GopherWhisper Abuses Legitimate Services in Government Attacks
• Surveillance Vendors Exploiting Telecom Infrastructure to Track Targets’ Locations
• American Utility Firm Itron Discloses Breach of Internal IT Network
• Nessus Agent Vulnerability on Windows Enables Arbitrary Code Execution with SYSTEM Privileges
• Litecoin Zero-Day Vulnerability Exploited in DoS Attack, Disrupts Major Mining Pools
• CISA Warns of Multiple SimpleHelp Vulnerabilities Exploited in Attacks
• Russian-Linked Campaign Compromises Signal Accounts of Senior German Officials