Spanish retailer Mango has reported a data breach through a third party: attackers gained access to customers’ contact information (name, email, phone, postal code, country). The company has already notified the regulator and started sending notifications to the affected parties.
Mango confirmed that the incident occurred through an “external marketing service” it uses and that the leak was limited to personal contact details, not financial information or credentials. The company has activated internal response protocols, notified the Spanish Data Protection Authority (AEPD) and law enforcement agencies, and has published recommendations for customers to be vigilant about suspicious emails and calls. Experts note Mango’s quick response as a positive sign, but warn that even “just” names, addresses and phone numbers allow attackers to launch targeted phishing campaigns or vishing/smishing attacks (the second wave after the initial leak).
The third party as a source of leakage is a typical model of modern attacks on retail: providers of marketing platforms, CRMs and mailing services often process large amounts of personal data and become attractive targets. Over the past year, similar incidents have affected a number of well-known retailers (Harrods, M&S, Co-op) due to the compromise of external suppliers or platforms such as Salesforce. Even if payment details are not stolen, published contact details significantly increase the risk of social engineering.
Organizations and customers should act proactively: companies should urgently audit and closely monitor suppliers (especially marketing/CRM services), restrict data sharing where necessary, implement contractual security requirements, monitor and test suppliers; customers should not open suspicious links, not provide additional data upon request, activate two-factor authentication where possible, and report suspicious messages. Regulators should strengthen requirements for transparency in data supply chains.
