Inditex suffers cyberattack
Madrid – Spanish fashion giant the Inditex has become the latest major corporation to fall victim to a cyberattack. An “unauthorised access” to the company's computer databases, containing customer information from various markets, has been reported. However, it is specified that this breach has not affected customers' personal or banking information.
According to a statement from Inditex's management, the breach of customer databases was detected on the servers of one of its technology providers. These infrastructures suffered a cyberattack that affected both Inditex and other companies with international operations. Following the attack, the Spanish fashion multinational, parent company of chains such as Zara, Bershka, Pull&Bear and Massimo Dutti, “immediately” implemented its security protocols. It also notified the relevant authorities. This was the result of a security breach on the servers of that third-party technology provider, where the company's compromised databases are hosted. Inditex reiterates that the incident “in no case” affected the personal and banking information of customers, who “can continue to access and operate with complete security”.
“Inditex has identified an unauthorised access to its organisation's databases hosted by a third party. These databases contain information about the commercial relationship with customers from different markets, but in no case do they contain data such as first and last names, telephone number, address, passwords, bank cards or other means of payment,” stated the Spanish fashion multinational in the aforementioned statement. Once the breach was detected, “Inditex immediately applied its security protocols and has initiated the notification to the corresponding authorities about this unauthorised access, which originates from an incident suffered by a former technology provider that has affected several companies with international operations”. In the case of Zara's owner, “Inditex's operations and systems have not been affected in any way” as a result of the cyberattack, and therefore, it is assured, “customers can continue to access and operate with complete security”.
A growing risk for companies
With this breach of its databases containing commercial information from customers in different markets, Inditex joins the growing list of companies and groups in the sector that have recently fallen victim to similar cybersecurity breaches, both in their own and third-party structures. Recent examples include breaches detected by Nike, Mango, El Corte Inglés and Tendam. In the case of the three Spanish companies, a breach of customers' personal data was reported.
Aware of this growing potential risk, especially within a multinational company like Inditex that has adopted an omnichannel business model, the company created and launched a Cybersecurity Advisory Committee in 2023. This is an independent body from its Audit and Compliance Committee. Its purpose is to advise the company on matters related to information security and cybersecurity. These are included among the potential technological risks for the company, given the “high degree of digitalisation and technological integration of Inditex's business model”. This nature leads the company to estimate, as stated in its 2025 Annual Report, that “the eventual materialisation of technological incidents—arising from factors such as infrastructure failures; cybersecurity incidents; application errors or difficulties in interacting with third-party technologies—could have a cross-cutting impact on the Group's activity, affecting the normal development of operational and commercial processes”.
To continue mitigating these potential risks, “throughout 2025, we continued to strengthen our defence capabilities to improve detection and response to threats such as DDoS attacks, credential stuffing and third-party vulnerabilities,” such as the one just identified, the Report adds. To achieve these objectives, the company has a specialised cyber-intelligence team responsible for continuous monitoring and early detection of risks and threats. It also has a Security Operations Centre (SOC) available 24 hours a day, seven days a week, which is responsible for the detection, analysis, notification and resolution of potential “security events” that may affect Inditex.
In 2025, a total of 66 “events of interest” were recorded. “The most relevant” of these were “reported to the Information Security Committee”. However, “none of these events” had a “significant impact on our operations or our financial statements”. This highlights how cybersecurity has become an increasingly critical area for companies. Therefore, in addition to the above, during 2025, Inditex carried out intrusion prevention measures and individual cybersecurity training programmes, providing specialised training to more than 4,000 team members.
- Inditex has been the victim of a cyberattack, following unauthorised access to the company's customer databases hosted on the servers of an external technology provider.
- The company has assured that the security breach did not compromise customers' personal or banking information, stating that they can continue to operate with complete security.
- Inditex immediately implemented its security protocols and notified the relevant authorities of the breach. This is in line with measures to mitigate and stop this series of attacks, which are monitored by its cyber-intelligence team, its security operations centre, and its Cybersecurity Advisory Committee.
This article was translated to English using an AI tool.
FashionUnited uses AI language tools to speed up translating (news) articles and proofread the translations to improve the end result. This saves our human journalists time they can spend doing research and writing original articles. Articles translated with the help of AI are checked and edited by a human desk editor prior to going online. If you have questions or comments about this process email us at info@fashionunited.com
OR CONTINUE WITH