A breach at one of Mango’s marketing subcontractors exposed limited information about certain customers without affecting the company’s internal systems.
Spanish fashion giant Mango confirmed that an external provider handling its marketing campaigns experienced unauthorized access to some personal data. The exposed information includes first names, countries, ZIP codes, email addresses, and phone numbers. No last names, passwords, or financial details were compromised, according to the brand. Mango stated that its internal infrastructure and systems were not affected and that the incident was reported to the Spanish Data Protection Agency (AEPD) and other relevant authorities.
A Controlled Breach, but a Warning Sign
The company, which operates over 2,700 stores worldwide, detected the incident last weekend and immediately activated its security protocols. Its online operations were not disrupted. Mango advised customers to remain alert to suspicious emails or calls requesting unusual actions. Customer service capacity has been increased to handle inquiries related to the breach.
This attack highlights the growing vulnerability of digital supply chains. Many retailers outsource marketing operations to external partners often linked to customer databases. These subcontractors can serve as entry points for cybercriminals, whose attacks exploit weaker defenses compared to main systems. It remains unclear whether this leak is linked to the cyberattack previously attributed to ShinyHunters/Scattered/Spider, a hacker now inactive.
A Context of Repeated Attacks Against European Retail
The Mango cyberattack adds to a series of recent incidents targeting Spanish and European retailers. In March, El Corte Inglés reported a breach at a third-party service that exposed customer credentials and banking data. Shortly after, the Tendam Group, owner of several fashion brands, suffered a massive data theft of around 720 gigabytes, accompanied by a ransom demand of €800,000.
Other international brands have also been hit this year. UK retailer Co-op announced a $274 million loss (about €252.4 million) linked to a cyberattack, while Louis Vuitton confirmed multiple intrusions at stores in Turkey, the UK, and South Korea. Victoria’s Secret, Dior, Tiffany, and Adidas have also reported recent incidents.
Growing Regulatory and Reputational Pressure
In line with the EU General Data Protection Regulation (GDPR), Mango reported the incident within the legal timeframe and committed to cooperating with Spanish authorities. The company did not specify the number of customers affected. The immediate impact appears limited, but the increase in attacks on third-party vendors underlines a systemic risk across the industry.
For fashion companies, securing the digital supply chain has become a strategic priority. Beyond regulatory penalties, customer trust is directly at stake. Each incident weakens brand reliability, especially in a highly competitive market. [ZATAZ News English version]