Rumours abound that a cyber attack was the cause of the electricity blackout in Spain and Portugal this week…

While the electricity companies say there’s no evidence of foul play, two “pro-Russian” hacking groups have (dubiously) claimed responsibility and the Spanish Courts have opened a criminal investigation into possible cyberterrorism.

Independent energy experts say it’s “very dangerous” to speculate and that it is was likely caused by “a coincidence of several events.” But that’s no fun, so most articles are ignoring that.

To the 6.5 million Portuguese households with no power, the Government provided urgent clarification:

“There would seem to have been an issue in the power transmission network.”

However, what we do know is that as Iberia’s infrastructure suddenly rolled back a century, malicious actors have wasted no time in taking advantage of the chaos.

Within 48 hours, customers of the Portuguese national airline, TAP Air Portugal, were receiving emails informing them of their rights to compensation for cancelled flights.

The emails, which cite EU Air Passenger Rights Regulation, are a convincing clone of legitimate correspondence used by the airline for this purpose, except they also request financial details in order to send immediate compensation. Once these details have been provided, the links stop working.

As a form of social engineering, exploiting the human panic and chaos of major disruption is a favoured tactic for threat actors. People under severe stress are less likely to take basic precautions or more likely to believe something which is too good to be true (particularly if it purports to offer succour in a crisis).

After the CrowdStrike outage in 2024, where a flawed software update from a cybersecurity provider crashed millions of Windows systems running critical services, the National Cyber Security Centre (NCSC) warned that:

“…an increase in phishing referencing this outage has already been observed, as opportunistic malicious actors seek to take advantage of the situation. This may be aimed at both organisations and individuals.”

For organisations, defence remains the best form of defence. Detailed preparation and regular stress testing are always the most effective way to cope with a cyber incident if or when it comes along.

When developing their crisis management procedures, organisations must give adequate weight to the human vulnerabilities created by a crisis and build in robust training and safeguards to mitigate that risk.

As well as planning how to respond if the target of a cyber attack themselves, organisations must also consider the risk of “brand phishing” attempts on their customers.

The statistics are sobering, 84% of all UK cyber security breaches or attacks in 2024 were caused by phishing. When the lights go out, neglecting this weak spot is a dangerous game.

For strategic advice around cyber risk planning, management and live incident handling, contact: cyber@drdpartnership.com