E.ON Romania Fined €25,000 After Unauthorized Access to User Accounts: A Wake-Up Call for All Websites

On October 10, 2025, E.ON Romania, a major utility provider, was fined €25,000 under the GDPR after unauthorized actors accessed user accounts, exposed email addresses, and passwords.
According to the National Data Protection Authority (ANSPDCP), E.ON failed to implement “adequate technical and organizational measures” to protect user data, resulting in a “high risk” of financial harm to affected individuals.

---

What Happened

The investigation revealed that attackers were able to extract sensitive user data (login credentials, email addresses) from E.ON’s systems. The regulator determined that this breach stemmed from inadequate security safeguards and non-compliance with GDPR obligations.

E.ON was ordered to:

• Pay a fine equivalent to 126,797 lei (≈ €25,000)
• Enforce multi-factor authentication (MFA) for all user accounts
• Adopt additional security and organizational measures aligned with GDPR requirements.

---

Why This Matters (to Every Website Owner)

Even large legacy companies can slip up. If a utility provider with heavy regulation can be fined for compromised accounts — what does that mean for startups, SaaS apps, or even small e-commerce sites?

Here’s what this incident signals:

• Data access is a red line. Exposing user credentials is a direct path to GDPR fines and reputational harm.
• Security must be baked in. Retrofitting protections after violations is too late.
• Compliance is never optional. What’s considered “safe enough” today might be deemed insufficient tomorrow.

This incident is not just an E.ON problem — it’s a warning shot for every website collecting user credentials or handling login systems.

---

Key Takeaways from the E.ON Case

| Risk | Compliance Requirement | What Went Wrong at E.ON |
|------|----------------------------|------------------------------|
| Unauthorized data access | GDPR Art. 32 — Security of processing | Lack of technical & organizational safeguards |
| Weak account protection | Two-factor/MFA requirement | E.ON had to be forced to adopt MFA |
| Incomplete remediation | Right to report, notify, audit | Users’ emails/passwords exposed; regulator intervened |

⚠️ Even if you’re not a utility, if your site allows user accounts or stores login credentials, you must ensure:

• Strong password hashing + salt stored in a secure database
• MFA or alternative strong authentication
• Access controls and monitoring
• Regular audits and scanning, especially after updates or migrations

---

Where Automated Compliance Scanning Helps

The E.ON breach underscores that compliance and security deficits often hide in your infrastructure or code. That’s exactly where automated compliance scanning tools step in:

• They crawl your entire site and check for common vulnerabilities and policy violations
• They analyze login flows, detect weak credential practices, exposed endpoints, and compliance gaps
• They produce reports showing what failed, why it failed, and how to fix it

By scanning proactively, you don’t wait until a regulator or payment processor finds your weakness — you find it first.

---

Don’t Get Caught Unaware

If a large company like E.ON can be penalized, smaller sites are far more fragile. Take a minute now to validate your site’s compliance posture before you broadcast your business to the world.

👉 Run an AI-powered compliance scan today at ComplySafe.io — and discover hidden risks before they become real liabilities.

---

ComplySafe.io helps businesses stay compliant with global payment, privacy, and financial regulations. One scan may help you avoid fines, revenue freezes, or reputational damage.