Fashion retailer Zara has disclosed a data breach affecting approximately 197,000 individuals after attackers gained unauthorized access to systems connected to a third-party service provider.
The incident was confirmed by Zara’s parent company, Inditex, which said the breach originated from a cybersecurity incident involving a former technology vendor used by multiple international companies.
According to breach notifications, the exposed information included names, email addresses, phone numbers, postal addresses, and dates of birth tied to affected individuals. The company stated that passwords and payment card details were not compromised in the incident.
Inditex said the attackers accessed databases containing customer transaction-related information hosted by the external provider. The company added that its own operational systems and online platforms were not directly impacted and remained functional throughout the incident.
The breach disclosure comes amid broader claims from the ShinyHunters cybercrime group, which recently listed Zara among multiple companies allegedly affected in a wider leak campaign. The group later published datasets it claimed were stolen from several major brands, including Zara, Carnival, and 7-Eleven.
At this stage, it remains unclear whether the 197,000 affected individuals are directly connected to the ShinyHunters claims or if the incidents are entirely related. Inditex has not publicly attributed the breach to a specific threat actor.
The company said it immediately activated security protocols and notified relevant authorities after discovering the unauthorized access.
Although financial information was reportedly not exposed, cybersecurity experts warn that the leaked personal details could still be valuable for phishing attacks, identity fraud, and targeted scams. Attackers frequently use combinations of names, email addresses, phone numbers, and birth dates to craft convincing impersonation attempts.
The breach also highlights the growing cybersecurity risks tied to third-party vendors and outsourced technology providers. Even when a company’s own infrastructure is not directly compromised, attackers increasingly target suppliers and contractors as indirect entry points into larger organizations.
Inditex operates several global fashion brands beyond Zara, including Bershka, Pull&Bear, Stradivarius, and Massimo Dutti. The company has not confirmed whether customers from additional brands were affected in the incident.