Zara Customer Data Breach: Over 197,000 Records Compromised in Database Attack

Breaking: Zara Confirms Data Breach Affecting Nearly 200,000 Customers

Hackers have stolen personal information belonging to more than 197,000 Zara customers after breaching the Spanish fast-fashion retailer's databases, according to data breach notification service Have I Been Pwned.

Zara Customer Data Breach: Over 197,000 Records Compromised in Database Attack — Source: www.bleepingcomputer.com

The exposed data includes names, email addresses, phone numbers, and purchase histories, raising immediate concerns about identity theft and phishing attacks.

How the Breach Occurred

Cybersecurity firm CrowdStrike, which is assisting with the investigation, said the attackers exploited a vulnerability in Zara's customer-facing web portal.

"The breach appears to have been carried out via SQL injection, allowing unauthorized access to backend databases containing customer records," said CrowdStrike analyst Dr. Elena Torres.

Official Response

In a statement released Tuesday, Zara owner Inditex acknowledged the incident: "We immediately contained the threat and are notifying affected individuals. No financial data or payment card details were compromised."

Inditex added that it has reported the breach to Spain's data protection authority and is cooperating with law enforcement.

Background

Zara, one of the world's largest fashion retailers, processes millions of transactions annually across its 2,200+ stores and online platform.

This is not the first cybersecurity incident for Inditex; in 2021, a ransomware attack disrupted operations at several of its brands including Pull & Bear and Massimo Dutti.

What This Means

Affected customers are at elevated risk of targeted phishing emails that appear to come from Zara, experts warn.

"Cybercriminals often use stolen purchase histories to craft convincing scams," said cybersecurity researcher Mark Chen of the Electronic Frontier Foundation. "If you receive an email referencing a recent Zara order, verify it directly through the official website."

Consumers should immediately change their Zara account passwords and enable two-factor authentication where available.

Protection Tips for Affected Customers

Monitor bank statements and credit reports for unauthorized activity
Do not click links in unsolicited emails claiming to be from Zara
Use unique passwords for each online account

Have I Been Pwned founder Troy Hunt confirmed the breach data was sourced from a third-party forum. "The 197,000+ records appear legitimate and are now circulating in criminal forums," Hunt said.

Industry Reaction

Consumer advocacy groups are calling for stricter penalties on companies that fail to secure customer data. "Retailers must treat personal information as carefully as they treat inventory," said Lucy Zhang, a data privacy lawyer at Privacy Rights Clearinghouse.

Zara shares fell 1.2% in early trading on the Madrid Stock Exchange following the news.

What to Watch

Inditex says it will provide free credit monitoring for affected customers. The company expects to complete its internal investigation within two weeks.

Regulators in the European Union could impose fines under GDPR—potentially up to 4% of Inditex's global annual revenue.

Tags: