Inditex acknowledged in mid-April a data breach linked to unauthorized access to databases hosted by a former technology provider. The company maintained that its systems and operations were not affected and that the attackers did not obtain names, phone numbers, addresses, credentials, or payment data.
The tension of the incident lies in what was left out and what has appeared since. While the group downplayed the scope regarding the most sensitive information, the platform Have I Been Pwned confirmed the presence of 197,000 unique Zara customer emails along with order references and associated geographic data.
Have I Been Pwned confirmed 197,000 Zara customer emails
The breach affected information about commercial interactions with clients that was in databases of a former supplier. Inditex framed the case within a broader attack that reached several companies with international activity.
Have I Been Pwned verified 197,000 unique Zara emails.
In addition to those email addresses, the platform detailed that the stolen material includes product SKU codes, order identifiers, and geographic data linked to those orders. That set draws a level of exposure superior to a simple list of contacts, although it does not incorporate, according to Inditex, credentials or payment information.
ShinyHunters claimed the attack with a 140 GB file
The ransomware group ShinyHunters claimed responsibility for the intrusion and disseminated a 140 GB file with documents supposedly extracted from BigQuery instances. The group's attribution places the case within a campaign with international impact and not as an isolated incident concerning the fashion chain.
ShinyHunters published a 140 GB file.
According to that attribution, the extraction would have occurred through compromised Anodot authentication tokens. Inditex, for its part, linked the breach to databases hosted by a former technology provider and emphasized that the incident did not affect its internal operations.
The same group has appeared in recent incidents that have splashed the European Commission, Vimeo, Google, Cisco, Pornhub, Match Group, 7-Eleven, and McGraw Hill. The reference to those attacks broadens the context of the case and places the Inditex breach within a chain of actions claimed by a known actor in the sector.
Mango already notified in October another leak linked to marketing
The episode also comes after another warning in the Catalan textile sector. In October, Mango notified a data leak related to personal information used in its marketing campaigns.
The temporal coincidence between both cases once again puts the focus on the commercial and promotional data handled by large chains. In the case of Inditex, the company maintained that the attackers did not manage to access names, telephone numbers, addresses, or payment data.
In October, Mango notified a leak about personal data used in marketing campaigns.