Zara parent Inditex discloses data breach linked to third-party provider, no sensitive data exposed

Inditex, a Spain-based global fashion retailer and the parent company of brands including Zara, Bershka, and Stradivarius, has disclosed a data breach involving unauthorized access to databases managed by a third-party technology provider. The incident exposed certain transaction-related information but did not compromise sensitive personal data such as customer names, contact details, passwords, or payment information.

The company identified the breach as originating from a former external service provider and confirmed that multiple international companies were affected. The unauthorized access involved databases containing records related to commercial transactions, though the scope of exposed data was limited to non-sensitive information.

Inditex stated that it acted promptly after detecting the breach, implementing security protocols and initiating notifications to relevant regulatory authorities in compliance with applicable requirements. The company also confirmed that its internal systems and operations were not impacted and that its platforms continue to function securely without disruption.

The retailer emphasized that the absence of personally identifiable information in the compromised data significantly reduces risks such as identity theft or financial fraud. The exposed records were limited to transaction-related details, which do not include information that could directly identify or harm customers.

The incident highlights ongoing cybersecurity risks tied to third-party integrations, particularly for companies with extensive global operations and digital infrastructure. Inditex has previously acknowledged that reliance on external service providers can introduce vulnerabilities that may affect business continuity and data security.

As a company headquartered in Spain, Inditex operates under the European Union’s General Data Protection Regulation, which mandates timely disclosure of certain types of data breaches to authorities. Failure to comply with these requirements can result in significant penalties.