Spanish fashion powerhouse MANGO has confirmed a data breach affecting its customers after one of its external marketing service providers suffered unauthorized access. The company has begun notifying affected individuals about the exposure of limited personal data, while reassuring the public that its corporate infrastructure remains uncompromised.
Founded in 1984 in Barcelona, MANGO has evolved into a global fashion brand with over 2,800 stores in 120 countries, employing more than 16,000 people and generating annual revenues of €3.3 billion. Around 30% of its sales come from e-commerce, making cybersecurity a critical pillar of its operations.
According to the official data breach notification sent on October 14, 2025, the incident stemmed from a third-party marketing vendor, not MANGO’s internal systems. The company emphasized that “unauthorized access” affected only certain customers’ marketing-related data and did not compromise financial or authentication details.
The exposed data includes first names, countries, postal codes, email addresses, and phone numbers. Importantly, MANGO clarified that last names, banking data, credit card details, IDs, and passwords were not impacted. While this limits the severity, experts warn that such data can still fuel targeted phishing attacks and social engineering campaigns, especially when combined with other leaked information.
A company spokesperson stated, “Everything continues to function normally, and MANGO’s corporate systems have not been compromised.” This suggests that the breach was confined to the vendor’s environment, with no direct impact on business operations or customer transactions.
In response, MANGO says it has activated all security protocols, informed the Spanish Data Protection Agency (AEPD), and notified relevant regulatory bodies in compliance with the EU General Data Protection Regulation (GDPR). The company has also created a dedicated support line to assist affected customers: personaldata@mango.com and 900 150 543.
Cybersecurity analysts note that third-party vulnerabilities continue to be a growing concern for global retailers, as marketing and analytics firms often hold large amounts of customer data with less robust defenses. This incident underscores the urgent need for supply chain risk management and continuous vendor security assessments across industries.
As of now, no ransomware groups or data leak sites have claimed responsibility for the breach, leaving the identity of the attackers unknown. However, cybersecurity experts suggest that such incidents are often precursors to phishing campaigns leveraging compromised information to impersonate trusted brands like MANGO.
Conclusion:
The MANGO data breach serves as a timely reminder that even the most established global brands are vulnerable through third-party partnerships. While MANGO’s quick response and transparency help mitigate reputational damage, the event reinforces that data protection is only as strong as the weakest link in the supply chain. Businesses and consumers alike must remain vigilant against evolving cyber threats targeting the fashion and retail sectors.
