Australian fashion retailer SABO exposes millions of customer records in major data leak

Australian fashion label SABO has come under scrutiny after a massive data breach exposed more than 3.5 million documents containing sensitive customer information. The leak was discovered by cybersecurity researcher Jeremiah Fowler, who found the unsecured database publicly accessible on the internet, unencrypted and without a password.

The compromised archive, totaling 292 gigabytes, contained 3,587,960 PDF files filled with personally identifiable information (PII) including customer names, addresses, emails, phone numbers, and detailed purchase records. The documents also included invoices, shipping forms, and return slips spanning a decade — from 2015 to 2025 — involving both retail and corporate customers of the Brisbane-based brand.

Fowler told VPNmentor that although the number of PDF files was just under 3.6 million, the actual number of individuals affected could be significantly higher. “In one single PDF file, there were 50 separate order pages,” he noted, suggesting that the exposed records could potentially represent data from tens of millions of transactions.

The records appeared to come from an internal document management system used by SABO to track sales, returns, and both domestic and international shipments. After discovering the exposure, Fowler sent a responsible disclosure notice to SABO. The company restricted public access to the database within hours of his report. However, SABO has not issued any public statement or responded to Fowler, leaving critical questions unanswered — including how long the database remained exposed, who was responsible for maintaining it, and whether any unauthorized parties accessed the data before it was secured.

Founded in Australia, SABO operates three physical stores in New South Wales and Queensland and ships its fashion collections worldwide via its online platform. The company, which reported $18 million in revenue in 2024, has cultivated a massive following on social media, boasting nearly 2 million followers on Instagram.

Security experts warn that even temporary exposure of such extensive personal information can have serious implications. Will Walker, founder of the Melbourne-based firm Scam Stopper, emphasized that data leaks of this nature can be a goldmine for cybercriminals. “The risk grows exponentially the longer a database is exposed,” said Walker. “When scammers gain access to internal documents, they can tailor fake invoices, shipping notices, or refund scams that mimic legitimate company communications.”

While Fowler did not confirm whether malicious actors accessed the data, he cautioned that only a forensic investigation could determine if the leak had been exploited. “Even without immediate signs of abuse, the potential for social engineering, phishing, and financial fraud remains high,” he said.

Experts point to similar cases in the fashion industry as cause for concern. Following a breach at luxury brand Louis Vuitton, targeted scam emails impersonating the company began circulating, promoting fake NFT collections to unsuspecting customers.