Zara Data Breach Exposes 197,000 Customer Emails and Purchase Histories via Former Tech Provider Compromise
What Happened – Hackers accessed databases formerly hosted by a third‑party technology provider for Zara, extracting more than 197 k unique customer email addresses, geographic locations, order IDs and support‑ticket details. The breach was publicly claimed by the ShinyHunters extortion gang, which also released a 140 GB archive of the stolen data.
Why It Matters for TPRM –
- Third‑party hosting failures can leak large volumes of consumer data even when core systems remain untouched.
- Exposure of purchase histories and email addresses enables credential‑stuffing, phishing, and targeted fraud campaigns against both customers and supply‑chain partners.
- Lack of attribution and limited visibility into the provider’s security posture heightens supply‑chain risk for all Inditex brands.
Who Is Affected – Retail & e‑commerce (Zara, Inditex group), their franchised stores, and any downstream vendors that process customer orders or support tickets.
Recommended Actions –
- Review contracts and security clauses with former and current technology providers; demand evidence of encryption at rest and strict access controls.
- Verify that any shared authentication tokens (e.g., Anodot, SSO credentials) have been rotated and that MFA is enforced.
- Conduct a data‑subject impact assessment and notify affected customers per GDPR/CCPA requirements.
Technical Notes – Attack vector appears to be a compromise of a former cloud‑hosting provider’s credentials (Anodot authentication tokens) leading to unauthorized BigQuery queries. No CVEs were disclosed. Stolen data includes email addresses, market‑specific SKUs, order IDs and support‑ticket metadata; no names, phone numbers, addresses, or payment details were reported. Source: BleepingComputer