Inditex, the parent company of Zara, has disclosed a data breach linked to a former technology provider, while maintaining that no customer data was compromised. However, the situation has escalated as the cyber extortion group ShinyHunters has listed Zara on its leak site, claiming it will release stolen data within days.
According to Inditex, the breach did not occur within its internal systems but instead originated from unauthorized access at an external contractor. The company clarified that the compromised data relates only to “commercial relations” and does not include sensitive customer information such as names, contact details, passwords, or payment data. As a result, Inditex reassured stakeholders that its core infrastructure remains secure and fully operational.
Furthermore, the company stated that it immediately activated its security protocols upon discovering the incident. It has also begun notifying relevant regulatory authorities, demonstrating a proactive approach to incident response and compliance.
Despite these assurances, ShinyHunters has publicly claimed responsibility for the breach. The group recently added Zara to its dark web leak portal, alleging that it accessed “BigQuery instances data” through the Anodot data analytics platform. In addition, the group issued a “final warning,” demanding that the company make contact by April 21, 2026, or face the public release of the allegedly stolen data.
At this stage, the claims made by ShinyHunters remain unverified, as the group has not provided concrete evidence or data samples to support its assertions. Nevertheless, the threat cannot be dismissed outright. Historically, ShinyHunters has been linked to several high-profile data breaches and extortion campaigns targeting large enterprises. In many cases, the group exfiltrates data and pressures organizations into paying a ransom by threatening public disclosure.
Meanwhile, Inditex has not directly addressed the specific allegations made by ShinyHunters. It remains unclear whether the claims are directly connected to the previously disclosed contractor breach or represent a separate incident. Requests for clarification from Zara have not yet received a response.
Zara, one of the flagship brands under Inditex, is part of a global retail portfolio that also includes Bershka, Pull&Bear, and Stradivarius. Headquartered in Arteixo, Inditex reported €39.9 billion in revenue in its most recent fiscal year, with a significant portion driven by online sales.
As the situation continues to unfold, the incident highlights the growing risks associated with third-party vendors and supply chain dependencies. Even when core systems remain secure, vulnerabilities in external partners can expose organizations to reputational and operational threats.
Ultimately, this case underscores the importance of robust third-party risk management and rapid incident response, especially as cybercriminal groups increasingly target interconnected business ecosystems.
Recommended Cyber Technology News :
- Windows Recall Flaw Allows Silent Data Extraction
- Anthropic Launches Claude Opus 4.7 with Security Focus
- Capsule Security Secures $7 Million for AI Agent Protection
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
