Inditex, the textile group behind Zara, disclosed on Wednesday night an unauthorized access to internal databases hosted on a third-party provider's servers. The company states no customer personal data, such as names, phones or credit cards, was compromised. Operations remain fully unaffected.
Inditex notified on Wednesday night of an unauthorized access to databases holding commercial information on clients from various markets. Hosted on a third-party provider's servers, these do not contain sensitive personal data, the company said. "In no case data such as names and surnames, phone, address, passwords, credit cards or other payment methods," the statement specifies.
The firm immediately applied its security protocols and alerted the relevant authorities. The breach stemmed from an issue at a former tech supplier affecting multiple international companies. "Inditex's operations and systems have suffered no disruption and customers can continue accessing and operating securely," the Galician textile group added.
Inditex lists cybersecurity among key risks due to its digital model. It has an information security committee involving top executives like CEO Óscar García Maceiras, and a cybersecurity advisory committee formed in 2023. The latter met five times in 2025 to review threats including AI and new intrusion techniques. It also runs a 24/7 security operations center that identified 66 events in 2025 with no notable impacts.
This is not the first such incident in Spanish retail. In October, Mango disclosed unauthorized access to client marketing data via an external service. El Corte Inglés faced a similar breach in March last year involving data on an external provider.
