Zara data breach saw 197,000 people’s information exposed – but thankfully hackers may not have access to private information

ShinyHunters leaked 140GB of data from Zara’s BigQuery instances, exposing 197,400 emails, purchase records and support tickets
Inditex confirmed that no names, addresses, credentials or payment information were stolen, reducing the direct risk
Still, exposed emails and purchase details can fuel tailored phishing campaigns against customers

Fashion giant Zara lost customer data on nearly 200,000 people, but it appears that very little private information was actually stolen.

Zara is one of the largest fashion retailers in the world with more than 1,500 stores around the world and is the flagship brand of the Inditex Group, which also owns Massimo Dutti, Pull&Bear, Bershka and many others.

Last month, it revealed that it suffered a data breach as a result of the ongoing incident involving Anodot, an AI-powered, cloud-based analytics platform that some companies integrated with other services, such as Snowflake. When ransomware actors ShinyHunters broke into Anodot, they were able to access these integrations and steal files belonging to several companies.

ShinyHunters strikes again

When Inditex reported the incident, it said the attackers did not have access to private information such as names, phone numbers, addresses, login credentials or payment information.

“Inditex has immediately applied its security protocols and has begun notifying the appropriate authorities of this unauthorized access stemming from a security incident that affected a former technology provider and has affected multiple companies operating internationally,” the company said at the time.

Meanwhile, ShinyHunters claimed responsibility for the attack and leaked a 140GB archive that it claims to have stolen from BigQuery instances. Now, Via Bleeping Computer reports Have You Been Pwned? analyzed the stolen data and found 197,400 email addresses, geographic locations, purchases and support tickets.

“The data contained 197,000 unique email addresses along with product SKUs, order IDs and the market from which the support ticket originated,” the service said.

Although not having names and addresses reduces the risk somewhat, cybercriminals can still use the available information to run tailored phishing campaigns. Through these emails, they can steal login credentials, deploy malware and thus further escalate the attacks.