I-DE Redes Eléctricas Inteligentes, S.A.U. – €3,500,000 Fine (Spain, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
I-DE Redes Eléctricas Inteligentes, S.A.U. faced a fine for a data breach that exposed personal information of 1.35 million clients. The company failed to protect its GEA management portal from a cyberattack, which allowed hackers to access sensitive data. This case highlights the importance of strong security measures for businesses handling personal information.
What happened
A cyberattack on I-DE's GEA management portal exposed personal data of 1.35 million clients.
Who was affected
Clients of I-DE whose personal data, including names and identification numbers, was compromised in the breach.
What the authority found
The Spanish data protection authority found that I-DE did not implement adequate security measures to protect personal data, violating GDPR requirements.
Why this matters
This ruling emphasizes the need for companies to strengthen their cybersecurity practices. Businesses must ensure they have robust protections in place to safeguard customer data from potential breaches.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
On 15 March 2022, I-DE Redes Eléctricas Inteligentes, S.A.U. (the controller) detected an attack on its GEA management portal (GEA portal), which is a web portal that manages service connections between the electric distribution network. At that point, the controller had yet to detect any effect on personal data. The following day (16 March), a brute force attack was made against the same webpage, resulting in a general slowdown. The controller adopted security measures in order to repel the attack. The controller analysed the attack’s activity and concluded that it has extracted the personal data of 1.35 million clients. The breached data included names, surnames, email addresses, phone numbers, addresses, national identification card numbers and client codes. On 18 March 2022, the controller notified the breach to the AEPD. The controller is Iberdrola's energy distribution brand. Spanish law concerning the electricity sector requires that regulated activities (such as distribution of electricity) and unregulated activities (such as marketing) be unbundled. In accordance with such law, the controller stated that it could only access the personal data of users of its electric service. It thus claims that it does not have access to the data of data subjects managed by other distribution companies. Despite this separation, the controller communicated the breach to other companies of the Iberdrola group on 28 March 2022, noting that it could have affected information referring to clients of these companies. The controller included internal codes corresponding to the affected clients so that the companies could verify if those clients’ data had been compromised. Two companies, Iberdrola Clientes, S.A. and Curenergía Comercializador de Ultimo Recurso SA, subsequently reported to the AEPD that personal data of 92,550 and 1,515,000 clients was affected, respectively. Due to the numerous companies affected, the AEPD initiated investigations into four entities. The contro
Related Enforcement Actions (0)
No other enforcement actions found for I-DE Redes Eléctricas Inteligentes, S.A.U. in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
7 February 2024
Authority
Agencia Española de Protección de Datos
Fine Amount
€3,500,000
GDPRhub ID
gdprhub-7819About this data
Cite as: Cookie Fines. I-DE Redes Eléctricas Inteligentes, S.A.U. - Spain (2024). Retrieved from cookiefines.eu
Last updated: