Zara data breach saw 197,000 people have information exposed — but luckily, hackers may not have accessed private info

News
By published

Another victim of the Anodot incident has been revealed

A hand about to touch a phone. Superimposed on top of it is a pink triangle with exclamation mark inside it. Behind it is a computer display with code on it
(Image credit: Getty Images)
  • ShinyHunters leaked 140GB of data from Zara’s BigQuery instances, exposing 197,400 emails, purchase records, and support tickets
  • Inditex confirmed no names, addresses, credentials, or payment info were stolen, reducing direct risk
  • Still, exposed emails and purchase details could fuel tailored phishing campaigns against customers

Fashion behemoth Zara lost customer data on almost 200,000 people, but it seems very little private information was actually stolen.

Zara is one of the biggest fashion retailers in the world, with more than 1,500 stores around the world, and is the flagship brand of the Inditex Group, which also owns Massimo Dutti, Pull&Bear, Bershka, and many others.

Last month, it disclosed suffering a data breach as the result of the ongoing incident involving Anodot, an AI-powered, cloud-based analytics platform that some companies integrated with other services, such as Snowflake. When ransomware actors ShinyHunters broke into Anodot, they were able to access those integrations and steal files belonging to multiple companies.

Latest Videos From

ShinyHunters strike again

When Inditex reported on the incident, it said the attackers did not access private information such as names, phone numbers, addresses, login credentials, or payment information.

"Inditex has immediately applied its security protocols and has started notifying the relevant authorities of this unauthorized access, that stems from a security incident that affected a former technology provider and has impacted several companies operating internationally," the company said at the time..

In the meantime, ShinyHunters claimed responsibility for the attack and leaked a 140GB archive which it claims to have stolen from BigQuery instances. Now, Via BleepingComputer reports Have I Been Pwned? analyzed the stolen data and found 197,400 email addresses, geographic locations, purchases, and support tickets.

"The data contained 197k unique email addresses alongside product SKUs, order IDs and the market the support ticket originated in," the service said.

While not having names and addresses reduces the risk somewhat, cybercriminals can still use the available information to run highly tailored phishing campaigns. Through these emails they can steal login credentials, deploy malware, and thus escalate the attacks further.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.