MANGO Data Breach Exposes Customer Information
▼ Summary
– MANGO is notifying customers of a data breach at an external marketing vendor that exposed personal information including names, email addresses, and phone numbers.
– The exposed data did not include sensitive details like last names, banking information, credit card data, IDs, passports, or account credentials.
– MANGO’s corporate infrastructure and IT systems were unaffected, ensuring business operations continued normally without impact.
– The company has informed the Spanish Data Protection Agency and other authorities, and activated all security protocols in response to the breach.
– A dedicated email address and telephone hotline have been set up for customer support, and the attackers remain unidentified with no ransomware groups claiming responsibility.
The Spanish fashion powerhouse MANGO has issued a data breach alert to its clientele, revealing that a third-party marketing partner experienced a security incident leading to the exposure of personal customer information. Established in Barcelona back in 1984, MANGO has grown into a globally recognized designer and manufacturer of clothing and accessories, with a significant presence through both physical and online stores in 120 different countries.
Operating from roughly 2,800 locations, the company supports a workforce of 16,300 employees and generates annual revenues of €3.3 billion. A substantial portion of this income, around 30%, is derived from its e-commerce activities.
On October 14, 2025, the retailer began distributing formal data breach notifications to its customers. These communications explained that personal data utilized for marketing purposes had been accessed without authorization. The official notice clarified that an external marketing service provider was the source of the breach, not MANGO’s own internal systems.
The compromised information includes details such as a customer’s first name, country of residence, postal code, email address, and telephone number. Importantly, the company confirmed that more sensitive data, including surnames, financial information, credit card numbers, identification documents, and account passwords, remained secure and were not part of the exposure.
While the lack of last names reduces the potential for severe identity theft, cybersecurity experts warn that the information taken could still be leveraged effectively in targeted phishing campaigns. Attackers often use such details to craft convincing fraudulent messages.
MANGO was quick to reassure customers that its own corporate infrastructure and information technology systems were never breached. Business operations have continued without interruption, and the company emphasized that its internal networks remain secure.
Upon discovering the incident at its vendor, the company immediately activated all established security protocols. The specific marketing service provider involved has not been publicly identified. MANGO has also fulfilled its regulatory obligations by notifying the Spanish Data Protection Agency (AEPD) and other pertinent authorities about the event.
To assist concerned customers, the fashion retailer has set up a dedicated support channel. Individuals can email personaldata@mango.com or call the telephone hotline at 900 150 543 for more information and guidance.
Media inquiries regarding the specifics of the cyberattack and the total number of individuals affected have so far gone unanswered by the company. Furthermore, no ransomware groups have claimed responsibility for the breach on their typical extortion websites, leaving the identity and motives of the attackers a mystery for the time being.
(Source: Bleeping Computer)
