Zara Parent Company Inditex Reports Third-Party Data Breach Affecting Transactions Database
Published on April 17, 2026
Key Takeaways
- Unauthorized access detected: Zara owner Inditex reported a breach affecting databases hosted by a third party that contain customer transaction records.
- Sensitive information secured: The compromised databases do not include passwords, physical addresses, or bank card details, limiting direct financial exposure.
- Global vendor compromised: The Inditex data breach originated from a former technology provider, impacting several international companies.
Zara parent company Inditex has confirmed unauthorized access to databases managed by an external service provider. The compromised systems contained specific information regarding customer transactions, though the retail giant has not provided further details on the exposure.
The Spanish retail giant has several other brands in its portfolio, including Pull&Bear, Massimo Dutti, Bershka, Stradivarius, and Oysho.
Third-Party Database Incident
In a late Wednesday statement, Inditex announced that the data breach stemmed from a security incident affecting a former technology vendor. This specific vulnerability has reportedly impacted multiple companies operating on an international scale, according to Reuters.
By exploiting vulnerabilities in third-party database infrastructure, unauthorized threat actors gained access to transactional records. Despite the unauthorized access, Inditex confirmed that the most critical personal information remains secure. The affected databases did not contain customer data such as addresses, account passwords, or bank card details.
However, the company did not provide additional details regarding the specific vendor or the exact number of impacted international organizations.
Sensitive Customer Data Protected
Upon discovering the vulnerability, the Spanish retail conglomerate immediately implemented security protocols to contain the threat. Furthermore, the company has initiated contact with relevant regulatory authorities to report the incident and ensure full compliance with data protection requirements.
This Inditex data breach demonstrates the escalating cybersecurity risks associated with external supply chains and vendor management. Spanish fashion retailer Mango announced a data breach in October 2025 that occurred through a third-party marketing provider.
A few days ago, a Rockstar Games breach reportedly leaked analytics data following a prior Anodot security incident, a Booking.com breach exposed sensitive customer information, and a Basic-Fit incident exposed 1 million member records.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular