Mango confirms data breach
Global retailer compromised via supply chain
Global fashion retail chain Mango has confirmed a breach in an external marketing service has exposed customers’ personal data.
The Barcelona-based firm began notifying customers yesterday, 15th October, that it had been the victim of a third-party marketing breach. It also confirmed the attackers had gained access to customer data.
In a letter to customers, Mango says the exposed information is “limited” to contact information used in marketing campaigns, which includes customers’ first name, country, postcode, email address and phone number.
Although that is a significant amount of personal data, customers can at least be assured that no financial data or login credentials were compromised.
Mango also says its business operations and corporate systems were not affected.
“As soon as Mango became aware of the situation, it immediately activated all security protocols,” the retailer said. It has also informed local data regulator the Spanish Data Protection Agency and the relevant authorities.
The company stopped short of providing any additional information on the breach, such as the name of the compromised supplier, how the attackers got into the system, or how many customers were affected.
Kevin Marriott, senior manager of cyber at Immersive, noted, “Anyone who hoped that cybercriminals had moved on from targeting the retail ecosystem is sorely mistaken... The volume of data retail outlets store, both within their own ecosystem and throughout their supply chain, is of value to threat actor groups. They often focus their efforts on the smaller, less mature parts of the retailer's supply chain, where security controls are often not as robust.”
While Marriott went on to praise the speed of Mango’s response, not every industry watcher was as supportive. William Wright, CEO of Closed Door Security, damningly noted that “outsourcing operations is not equal to outsourcing responsibility, The responsibility to keep customer data safe always depended on Mango.”
Mango customers should now be on the lookout for unsolicited contact, as it may indicate attempts at phishing or social engineering attacks.
If you’re a current or aspiring cybersecurity leader check out the Computing Security Leaders Summit on March 26th 2026. Packed with content including business continuity planning, bridging the cyber skills gap and cloud resilience, its promises to be full of insight and practical advice to take away. Register here for your free place.