A failure in Holaluz would allow "know very well how is your home"

A failure in Holaluz would allow "know very well how is your home"

Facua denounces a problem in the security of the electric power company that exposes the contracts of the users

   "With the Universal Code of Supply Point (CUPS) could make me a very well designed image of a house and its electricity consumption." This is how forceful it is with Innova + Rubén Sánchez, spokesperson for Facua.

This week, the consumer association has reported a serious security problem on the web page of the marketing company HolaLuz. "The data is exposed and we know it for more than two weeks," adds Sanchez. "What comes to say Facua is not true," confirms HolaLuz to Innova +.

The error has been generated with the "Fair Rate" of the marketer that ensures that we do not have to "worry about how much we consume or when we use the contracted energy". To do this and to demonstrate the veracity of your bet allows the calculation of the future electricity bill with a series of personal data. "We cook those data in the dark, the user does not see where we got them from," say HolaLuz sources.


An argument Facua rejects, "the operation of the ruling is simple". "If you visualize what is done behind the user interface you see the error," he adds. The problem is in the API, commands used by programmers that are usually protected. However, the request to the server "is made in open," Sanchez denounces.

"We are in continuous improvement, obviously we have failures, but there are always people working. We are open to make mistakes, is a priority and we are always working on it, "recognizes the marketer to Innova +.

Electric DNi
However, the company downplays the obtaining of the Universal Code of Supply Point, "you can not do anything". Sanchez warns "with that information could go to another electrical and get more information."

The problem is in the hands of the Spanish Agency for Data Protection, according to Facua. For now, the state agency has not yet pronounced, "it's early," they say to Innova +. For its part, Holaluz denies having received any requirement of the AEPD.

In the hand of the department chaired by Mar Spain is to determine if access to these data are personal and therefore would violate the General Data Protection Regulation. "If the AEPD interprets this violation, Holaluz would have 72 to communicate the security problem to its clients. But those involved are not only their customers, because they manage a database with many of them, "adds the spokesman of the consumer association.

That database, confirms Holaluz, is the SIPS, where the distributors, the marketers, the competent entities and the contract holder can consult the information related to their electrical system.

If the Spanish Agency for Data Protection confirms the limited protection of this information and considers it personal data, the marketer is exposed to heavy fines for breach of the General Data Protection Regulation, whose compliance is mandatory since May 25.

However, Holaluz defends his work and "there is no breach". "You can get some information, but they are not personal data and you can not do anything with them," say sources of the company. «In the section of the Holaluz website where it provides information about its rates, the page invites users to enter a postal address to indicate what offer they recommend. The company shows the rate proposed for the property introduced and the power currently contracted in it, "says Facua.

"We want the Data Protection Agency (AEPD) to evaluate Holaluz's practices because we believe that there is free access to private information, and not only that, but that this data can be used by malicious users."