Zara owner Inditex reports a major third party data breach

Spanish clothing retail giant Inditex, the owner of Zara, said information related to commercial relationships with clients was compromised after third parties accessed one of its databases managed by a third party.

 

The company announced on Wednesday that the data breach did not compromise any personal or banking information related to its brands or customers. It added that following the cyber incident, it notified law enforcement authorities and applied cyber security protocols to strengthen the security of its systems.

 

Headquartered in Arteixo, A Coruña, Spain, Inditex owns several international fashion brands such as Zara, Pull&Bear, Massimo Dutti, Bershka, Stradivarius, Oysho, Zara Home and Lefties. The company, founded in 1985, operates over 7,200 stores in 93 markets worldwide that make it the largest fast fashion group in the world.

 

The company’s statement points to a major supply chain attack targeting a software vendor providing services to multiple organisations. 

 

"Inditex has immediately applied its security protocols and has initiated the notification to the corresponding authorities about this unauthorised access, which has its origin in an incident suffered by a former technological supplier that has affected several companies with international activity," Inditex said.

 

The company said on April 16 that the cyber security breach did not compromise customers’ names, phone numbers, addresses, passwords, or payment card information. Customers across Inditex’s global brands can continue to shop on the brands’ websites without facing any disruption.

 

In its latest annual report, Inditex reported sales of €39.9 billion globally with online transactions accounting for 27% of global sales. Given the high scale of digitisation of its commercial operations, the company accounted for major digital risks such as technological failures, cyber attacks and third party risks that could affect operational efficiency in the future.

 

"Given the high degree of digitalisation and technological integration of the business model, the eventual materialisation of incidents of a technological nature – derived, among other factors, from infrastructure failures, cybersecurity incidents, errors in applications or difficulties in interaction with technological third parties – could have a cross-cutting impact on the group’s activity, affecting the normal development of operational and commercial processes," it said.