Inditex Confirms Zara Data Breach: Over 197,000 Customers Affected in Security Incident
Breaking News — Spanish fast-fashion giant Inditex has confirmed that a data breach at its Zara brand exposed the personal information of more than 197,000 customers. The company said hackers gained unauthorized access to internal databases, obtaining names, email addresses, phone numbers, and partial payment card data.
The breach was first flagged by data breach notification service Have I Been Pwned, which posted a searchable database of affected accounts. Inditex acknowledged the incident late Tuesday and said it has notified relevant data protection authorities.
“This appears to be a significant breach impacting a large customer base, and the exposure of payment card details is particularly concerning,” said Rebecca Evans, a cybersecurity analyst at CyberRisk Partners. “Affected customers should monitor their accounts for suspicious activity and consider freezing credit.”
According to Inditex, the breach was discovered during routine security monitoring. The company launched an immediate investigation and has since patched the vulnerability. It did not disclose when the intrusion began or how long the hackers had access.
Zara operates over 2,000 stores worldwide and has a massive online presence. The breach could undermine trust in the brand’s data protection measures at a time when the company is already under pressure to improve sustainability and labor practices.
Background
This attack is part of a rising wave of cyber incidents targeting major retail chains. In 2023, retail data breaches increased by 28% globally, according to a report by CyberTrends. Hackers often exploit weak points in third-party integrations or unpatched legacy systems.
Zara parent Inditex, one of the world’s largest fashion retailers, has faced previous security issues. In 2018, a server misconfiguration exposed internal company emails. However, this is the first confirmed breach affecting customer data on a large scale.
“Retailers hold vast amounts of sensitive customer data, making them prime targets,” said Dr. Alex Chen, professor of cybersecurity at Madrid University. “The industry needs to invest more in threat detection and response, not just tick compliance boxes.”
Have I Been Pwned founder Troy Hunt said the data set appeared legitimate and included records from multiple countries. “The file we received contained clear evidence of real customer records from Zara’s database,” Hunt wrote in a blog post.
What This Means
Customers whose data was stolen face an elevated risk of phishing attacks, identity theft, and fraudulent transactions. The exposed partial card numbers could be used in combination with other data to commit fraud. Inditex says it will offer affected customers free credit monitoring services for 12 months.
Regulatory fines are likely under the General Data Protection Regulation (GDPR) if Inditex is found to have failed in its data protection duties. GDPR allows penalties of up to 4% of global annual turnover – for Inditex, that could exceed €600 million.
The breach also serves as a warning for other retailers. “This is a wake-up call for the entire industry,” Evans added. “Companies must assume they will be targeted and take a proactive, not reactive, stance.”
Inditex shares on the Madrid stock exchange fell 1.7% in early trading Wednesday as investors assessed the potential financial impact. The company said it is cooperating with law enforcement and has engaged external forensic experts to conduct a full review.
Consumers can check if their data was involved by visiting Have I Been Pwned and entering their email address. Inditex has set up a dedicated support page on its website, and a background of the incident can be found above.