Spanish fashion retailer MANGO has disclosed a data breach that exposed customer information used in marketing campaigns. The company, which operates 2,800 locations across 120 countries and generates approximately 30% of its annual revenue of €3.3 billion from online sales, has sent breach notification letters to its customers detailing the incident.
According to the notice, an external marketing service provider suffered unauthorised access to certain customers’ personal data, including their first name, country, postal code, email address, and telephone number. MANGO clarified that last names, banking information, credit card data, IDs, passports, or account credentials were not compromised in this incident. While the absence of last names lessens the risk, the remaining exposed data can still be used by attackers in phishing attempts.
MANGO has assured customers that its corporate infrastructure and IT systems remain unaffected, and business operations have not been impacted. The company has activated all security protocols, notified the Spanish Data Protection Agency (AEPD) and relevant authorities, and established dedicated channels for customer support. MANGO has not disclosed the identity of the marketing service provider affected, and no ransomware groups have claimed responsibility for the attack at the time of publication.