Cyber Incident Victim: Eneco

Eneco, a Dutch energy supplier, detected irregular login attempts targeting its My Eneco customer portal during the week preceding January 8, 2021. The company determined cybercriminals had successfully accessed approximately 1,700 private and small business accounts by exploiting email-password combinations stolen from prior breaches at unrelated websites. Attackers viewed and potentially modified personal data within these compromised accounts. Eneco temporarily disabled My Eneco access on January 8 to conduct forensic analysis and prevent further unauthorized entry, later restoring service after implementing unspecified security measures. The breach was reported to the Dutch Data Protection Authority, with plans to file a police report. Direct notifications were sent to all 1,700 affected customers, instructing them to create entirely new accounts with different passwords due to credential exposure risks.

Eneco expanded communications on January 11 by alerting an additional 47,000 customers who had logged into My Eneco during the incident timeframe as a precautionary measure, despite finding no evidence their accounts were accessed. Independent cybersecurity experts were engaged to assist with investigation and remediation efforts. The company publicly emphasized password security best practices across multiple channels, urging customers to avoid credential reuse. No technical details regarding the attackers' entry methods, specific data types accessed, or system vulnerabilities were disclosed. The incident exclusively impacted the My Eneco web portal, with no reported disruptions to core energy delivery services. Eneco's response focused on credential reset requirements for confirmed victims, generalized password hygiene advisories for broader customer groups, and third-party collaboration to strengthen login security protocols.