Spanish fashion retailer MANGO said on October 14, 2025 that it is notifying customers after an external marketing service suffered unauthorized access to certain customers’ personal data.
MANGO said the exposed fields included a customer’s first name, country, postal code, email address and telephone number. The company specified that last names, banking information, credit card data, identity documents and account credentials were not compromised.
Tthe absence of last names in the exposed dataset reduces some risk but attackers can still use the remaining information in phishing attacks.
MANGO said its corporate infrastructure and IT systems remain unaffected and business operations have not been impacted, and that all security protocols were activated upon learning of the incident. The marketing service provider has not been named. The Spanish Data Protection Agency (AEPD) and other authorities were notified, and the retailer set up a dedicated email ([email protected]) and a telephone hotline (900 150 543) for concerned customers.
No ransomware groups have listed MANGO on extortion portals, and the identity of the attackers remains unknown.