Clothing giant MANGO discloses data breach exposing customer info

Spanish fashion retailer MANGO is sending notices of a data breach to its customers, warning that its marketing vendor suffered a compromise exposing personal data.

Founded in 1984 in Barcelona, MANGO is a clothing and fashion accessories designer and manufacturer, operating physical and e-commerce stores in 2,800 locations across 120 countries.

The company employs 16,300 people and has an annual revenue of €3.3 billion, of which approximately 30% comes from online purchases.

On October 14, 2025, the company sent data breach notifications to its customers, informing them that personal data used in marketing campaigns had been compromised.

"MANGO wishes to inform you that one of the external marketing services has suffered unauthorized access to certain customers' personal data," reads the notice.

The types of data exposed in this incident include a customer's first name, country, postal code, email address, and telephone number.

MANGO specified that last names, banking information, credit card data, IDs, passports, or account credentials were not compromised in this incident.

Although the absence of last names in the exposed data set lessens the risk, attackers can still use the remaining compromised data in phishing attacks.

The company also noted that its corporate infrastructure and IT systems remain unaffected, and so business operations weren't impacted.

"We inform you that everything continues to function normally and that Mango's corporate infrastructure and systems have not been compromised," stated the company.

All security protocols in place were activated upon learning of the data breach at the marketing service provider, which has not been named.

The company also stated that the Spanish Data Protection Agency (AEPD) and relevant authorities have been notified about the breach.

A dedicated email address (personaldata@mango.com) and telephone hotline (900 150 543) have been established to support customers concerned about the potential exposure from this incident.

BleepingComputer has contacted MANGO to learn more about the cyberattack and its scope of impact, but we have not received a response at the time of publication.

No ransomware groups have announced MANGO on their extortion portals, so the attackers remain unknown.