Inditex, the owner of Zara, has disclosed a data breach linked to a former technology provider, stating that no customer data was exposed.
However, the ShinyHunters extortion group has since listed Zara on its leak site, claiming it will publish stolen data within days.
The Spanish retail giant revealed the incident in a statement issued late Wednesday, explaining that unauthorized access occurred at an external contractor rather than within its own infrastructure. According to Inditex, the compromised data relates to “commercial relations” and does not include sensitive customer information such as names, contact details, passwords, or payment data. The company emphasized that its internal systems remain secure and fully operational.
Inditex stated that it activated its security protocols immediately after discovering the incident and has begun notifying relevant authorities.
The data extortion group ShinyHunters published a new entry on its dark web leak portal earlier today, explicitly naming Zara (zara.com) as a victim. The listing claims that “BigQuery instances data” was compromised via the Anodot.com data analytics platform, delivering a “final warning” demanding contact by April 21, 2026, or the data will be leaked. The threat group implies access to internal datasets, though it does not provide verifiable samples at this stage.
ShinyHunters is a well-known threat actor associated with high-profile data breaches and extortion campaigns targeting large enterprises. The group typically steals data and pressures victims into paying ransom demands by threatening public disclosure. Its claims are not always independently verified at the time of posting, but past incidents have shown that listings on its portal often correspond to genuine data theft events.
Inditex, headquartered in Arteixo, Spain, is the world’s largest fashion retailer and owns several major brands, including Zara, Bershka, Pull&Bear, and Stradivarius. The company reported €39.9 billion in revenue for its latest fiscal year, with over a quarter of sales coming from online channels.
At the time of writing, Inditex has not publicly addressed the ShinyHunters' claims. We have reached out to Zara for clarification on whether the extortion group’s allegations are linked to the disclosed contractor breach, but have not received a response.
Leave a Reply