In late April 2026, Spanish cybersecurity outlet Escudo Digital reported that Iberdrola had acknowledged a data leak affecting around 20,000 current customers. The same incident may also involve around 130,000 former customers, bringing the total exposed records to roughly 150,000. The breach was linked not to Iberdrola's own systems, but to Zirconite, one of its commercial partners.
The case is important because it shows one of the most common patterns in modern cybersecurity: a large company may not be directly breached, but customer data can still be exposed through a supplier, partner or external service provider.
That is why this incident should be understood as a third-party breach, also known as a supply chain data breach.
What Happened?
According to the reports, a threat actor claimed to have obtained around 150,000 records connected to Iberdrola customers and former customers. The exposed information allegedly included highly sensitive commercial and personal data, such as full names, NIF or CIF, DNI, email addresses, phone numbers, location data, CUPS energy supply codes, contracted tariff, contract type, electrical power, economic indicators and additional material linked to the commercial process, including possible verification-call recordings and images.
Iberdrola reportedly told Escudo Digital that it had not detected any intrusion into its own systems and had no indication that data had been exfiltrated from Iberdrola's internal environment. The company also said it had contacted the affected provider and requested the necessary information while acting with due diligence. Later, Iberdrola provided more detail: only about 13% of the exfiltrated records reportedly corresponded to current customers. That would mean around 20,000 current Iberdrola customers were affected, while the remaining 130,000 records related to people who had been Iberdrola customers at some point in the past.
What Is Zirconite, the Third Party?
Zirconite, formally referred to in reports as Zirconite de Negocios, is described as a commercial partner or authorized commercial collaborator of Iberdrola. In practice, this means it is not Iberdrola itself, but an external company that works with Iberdrola-related commercial activity, such as customer acquisition, contract management or sales support. Reports describe it as operating in several regions, including Catalonia, Aragón, the Balearic Islands, the Canary Islands and part of central Spain.
This distinction matters. Customers usually think of their relationship as being with Iberdrola, but their data may pass through or be stored by partners that support Iberdrola's commercial operations.
That creates a wider risk surface. Even if Iberdrola's own systems are secure, a partner's database may contain enough sensitive information to cause real harm if it is exposed.
A third-party breach is dangerous because responsibility and visibility can become split:
- Iberdrola owns the customer relationship
- Zirconite may process or store some customer data
- The customer may not know Zirconite exists
- The attacker only needs to compromise the weakest point where the data exists
Why This Breach Matters
This is not just a story about one supplier. It is a lesson in how customer data moves through modern businesses.
Energy companies rely on partners for sales, contracting, customer support, verification, marketing and local commercial operations. That ecosystem can be efficient, but it also means sensitive data can be copied, stored and handled outside the main company's direct infrastructure.
The reported data types are especially sensitive because they can be used for convincing fraud. A criminal with a customer's name, DNI, phone number, CUPS code, tariff and contract details could create a very believable scam call or email.
For example, an attacker could say:
"We are calling about your Iberdrola supply contract ending in this CUPS number. We need to validate your bank account to apply a tariff change."
That kind of scam works because it uses real details to create trust.
A Seven-Level Breach Analysis
Level 1: Surface — How Did the Breach Become Possible?
The exposed surface appears to be third-party data handling.
Based on the reporting, the breach was linked to Zirconite, a commercial partner, rather than Iberdrola's own systems. Iberdrola reportedly said it had not detected an intrusion into its internal systems.
What is known:
- The incident involved a partner connected to Iberdrola's commercial activity
- The affected records reportedly contained customer and former-customer data
- The exposed information appears to have been stored or handled outside Iberdrola's core systems
- The breach involved data related to energy contracts, not just basic contact information
What is unknown:
- Whether the initial compromise came from phishing
- Whether credentials were stolen
- Whether a database or service was exposed online
- Whether an unpatched vulnerability was exploited
- Whether the issue was caused by misconfiguration
- Whether access controls were too broad
The key lesson at this level is that the organization's true attack surface was larger than Iberdrola's own infrastructure. It included partner systems where customer data was processed or stored.
Level 2: Intrusion — How Was Access Gained and Expanded?
The public reporting does not yet explain exactly how the attacker gained access.
What is known:
- A threat actor claimed to have obtained a large dataset
- The dataset reportedly contained around 150,000 records linked to Iberdrola customers and former customers
- Iberdrola said it had not detected an intrusion into its own systems
What is unknown:
- The attacker's initial access method
- Whether the attacker used stolen credentials
- Whether the attacker exploited a technical vulnerability
- Whether the attacker accessed a database directly
- Whether the attacker moved laterally through Zirconite's systems
- Whether any administrative account was compromised
- Whether the attacker had access to only one database or multiple systems
The safest analysis is this: the intrusion appears to have affected a partner environment connected to Iberdrola customer data, but there is not enough public information to describe the technical path of compromise.
That matters because serious breach analysis should avoid filling gaps with guesses.
Level 3: Persistence — Why Was the Attacker Not Removed Sooner?
What is known:
- The reporting discusses exfiltrated or leaked records
- Iberdrola said it was requesting information from the provider and would act once the facts were clarified
- The incident appears to have required investigation between Iberdrola and Zirconite
What is unknown:
- How long the attacker had access
- Whether Zirconite detected the intrusion internally
- Whether the breach was discovered through external monitoring, a threat actor post or another source
- Whether logs were available and complete
- Whether alerts were triggered
- Whether endpoint detection or database monitoring was in place
- Whether access was still active when the breach was discovered
The defensive blind spot in third-party breaches is visibility. Iberdrola may have strong monitoring inside its own environment, but if customer data sits in a partner's system, detection depends heavily on that partner's controls.
This is one of the hardest parts of supply chain security: the main company can be accountable to customers, while the technical evidence sits somewhere else.
Level 4: Impact — What Was Actually Compromised?
The reported impact is a data confidentiality breach.
What is known:
- Around 20,000 current Iberdrola customers were reportedly affected
- Around 130,000 former customers may also have been affected
- The total dataset was reported at around 150,000 records
- The data allegedly included personal identity information and energy contract details
Potentially exposed data included full name, NIF or CIF, DNI of the contract signer, email address, phone number, location, CUPS code, contracted tariff, contract type, electrical power, economic indicators, and commercial-process material possibly including verification-call recordings and images.
What is unknown:
- Whether all claimed records are authentic
- Whether every field was present for every person
- Whether bank account data was included in all or only some records
- Whether recordings and images were actually included and usable
- Whether the data has been sold, shared privately or widely circulated
- Whether affected customers have all been notified
The real-world risk is not only privacy loss. It is fraud. Energy-contract data is highly useful for social engineering. Attackers can impersonate Iberdrola, a partner, a debt collector, a tariff advisor or a fake switching service. The more contract-specific the data is, the more believable the scam becomes.
Level 5: Response — How Did the Organization React?
According to Escudo Digital, Iberdrola stated that it had not detected intrusion into its own systems and had contacted the affected provider to request information. The company also said it would take appropriate measures once it had exact knowledge of the facts, including complaints to the competent authorities where appropriate.
This is important because under the GDPR, organizations must assess whether a personal data breach creates risk for individuals. If it does, the controller must notify the relevant data protection authority within 72 hours of becoming aware of the breach. The AEPD explains that if the risk is high, the affected people must also be informed so they can protect themselves.
What is known:
- Iberdrola publicly denied detecting intrusion in its own systems
- It acknowledged that a partner-related leak affected current and former customers
- It requested information from the provider
What is unknown:
- Whether the AEPD had already been notified at the time of the article
- Whether all affected customers had been individually informed
- Whether Zirconite notified Iberdrola immediately
- Whether containment was completed
- Whether the leaked data was removed from criminal forums or marketplaces
- Whether any customer protection measures were offered
A strong response in this kind of incident should include clear notification, forensic investigation, containment, customer guidance and a review of vendor controls.
Level 6: Root Cause — Why Was This Breach Possible at a Systemic Level?
The likely root cause is not simply "Zirconite was hacked."
The deeper issue is sensitive customer data existing across a commercial partner ecosystem. When companies use partners to sell, verify or manage contracts, those partners may need access to customer information. But the more sensitive data is distributed, the harder it becomes to protect consistently.
Possible systemic causes include:
- Too much customer data shared with commercial partners
- Long retention of former-customer records
- Insufficient supplier security validation
- Weak contractual enforcement of cybersecurity controls
- Lack of continuous monitoring of partner environments
- Unclear responsibility between controller and processor
- Inadequate data minimization
- Incomplete deletion of old customer data after the commercial need ends
The presence of 130,000 former customers is especially important. It raises a governance question: why was historical customer data still available in a partner-linked environment, and was all of it still necessary?
Former-customer data still creates risk. A person does not stop being vulnerable to fraud just because they no longer have a contract.
Level 7: Lessons and Pattern — What Does This Breach Predict?
The Iberdrola-Zirconite case points to a broader trend: attackers are increasingly targeting the business ecosystem around large companies, not only the companies themselves. That pattern is especially relevant in Spain's energy sector, where recent incidents involving energy companies and suppliers have drawn attention to third-party exposure.
1. Third parties are part of the company's real security perimeter
A company's risk does not stop at its firewall. If a supplier stores customer data, that supplier is part of the security perimeter.
2. Former-customer data can be just as dangerous as current-customer data
Old records can still contain names, IDs, contact details and contract history. Attackers can use that information for fraud long after the customer relationship ends.
3. Energy data is powerful social-engineering material
CUPS codes, tariffs, contract type and electrical power details can make scams sound legitimate. This is more dangerous than a simple email-address leak.
4. Vendor due diligence must be continuous
A security questionnaire during onboarding is not enough. Companies need ongoing controls, audit rights, logging requirements, breach-notification obligations and regular access reviews.
5. Data minimization is a security control
The safest data is data that was never shared, never copied or already deleted. Partners should only receive the minimum information needed to perform the service.
What Affected Customers Should Do
Customers and former customers should be alert for targeted scams using real Iberdrola contract details.
Practical steps:
- Be suspicious of calls claiming to offer urgent tariff changes
- Do not confirm DNI, bank details or CUPS codes by phone unless you initiated the contact through official channels
- Avoid clicking links in unexpected SMS or email messages about Iberdrola bills, refunds or contract renewals
- Check account activity for unusual direct debits
- Contact Iberdrola through the official app, website or phone number if something seems suspicious
- Be extra careful if a caller knows real contract details — that does not prove the call is legitimate
Final Takeaway
The Iberdrola-Zirconite incident is a strong example of modern third-party cyber risk.
Iberdrola says it did not detect an intrusion into its own systems, yet customer and former-customer data may still have been exposed through a commercial partner. That is the central lesson: customers experience the harm at the brand level, even when the technical breach occurs somewhere else.
The real question for large organizations is no longer only:
"Are our systems secure?"
It is also:
"Where does our customer data go, who stores it, how long is it kept, and how do we know it is protected?"