Mango has issued a warning to customers after hackers stole limited customer data from a third-party marketing service.
The Spanish fashion retailer emailed customers yesterday that the data is confined to ‘personal contact information used in marketing campaigns’.
This includes the shopper’s first name, the country they live in, their postcode, email address and phone number,’ the email, seen by Metro, said.
The email adds: ‘We inform you that everything is continuing to operate as normal and that Mango’s infrastructure and corporate systems have been compromised.
Sign up for all of the latest stories
Start your day informed with Metro’s News Updates newsletter or get Breaking News alerts the moment it happens.
‘Under no circumstances have your banking information, credit cards, ID/passports or login credentials or passwords been compromised.’
Mango did not name the third-party marketing service it uses, nor did it reveal how many customers may have been affected.
As unauthorised access was made through a third-party system that held customer data, the breach was not targeted at Mango itself.
Online stores and physical retail sites are unaffected by the breach, with the company stressing that people can shop safely.
The Spanish Data Protection Authority (AEPD) has been notified, with Mango saying customers should be wary of ‘suspicious’ email and phone calls from people saying they are from the chain.
Mango’s ‘important data protection update’ in full
- MANGO has been made aware of unauthorised access to certain customers’ personal data, managed by a third-party marketing services provider in Spain.
- The data is limited to personal contact details used in marketing campaigns: exclusively first name (surnames have not been compromised), country, postal code, email address and telephone number.
- No banking information, credit card details, ID/passport numbers, access credentials or customer passwords have been compromised.
- MANGO operations and company systems are unaffected. Customers can continue to shop with MANGO, through the app, website or in our stores, safely.
- In line with our commitment to customer security and privacy, as soon as MANGO was made aware of the situation, we immediately activated all security protocols. The company will notify the Information Comissioner’s Office in the next 24 hours.
As a preventive measure, we recommend that all customers remain vigilant to any suspicious communication, including unexpected communications or requests for personal or financial information, both by email and by telephone.
We have set up a dedicated mailbox (personaldata@mango.com), which is available to customers for any further questions about this incident.
We apologize for the inconvenience or worry this incident may have caused and would like to thank MANGO customers for their continued support.
The company sends customers around one to two marketing emails a week, according to the monitoring service MailCharts.
The email ends: ‘We regret any inconvenience this specific incident may have caused you. As always, we want to thank you for your trust and commitment to the brand.’
‘On the surface, this is a minor leak – but make no mistake’
M&S, Co-op, Harrods, London’s Heathrow Airport and a nursery chain, among many others, have been targeted by cyber attacks this year.
Retailers make easy targets for hackers as they hoover up large amounts of customer data, experts previously told Metro.
Ransomware group Scattered Spider has been blamed for many of the hacks, which also include luxury fashion brands Gucci and McQueen.
Joe Jones, the CEO and co-founder of Pistachio, a cybersecurity attack simulation company, told Metro that the risk to shoppers isn’t just when financial data is swiped.
‘On the surface, this might be a minor leak, with no bank details or identification documents stolen, but make no mistake: this kind of data breach can be hugely damaging,’ he said.
‘They’re more than enough to launch convincing scam operations that can cost businesses millions and put customers at considerable risk.
‘Once this data is out there, there’s no putting it back in the box.’
Marijus Briedis, chief technology officer at NordVPN, said data can be used to make all sorts of scams.
This includes phishing, when hackers pretend to be from a reputable source to trick people into handing over their details, as well as fake customer service calls or identity theft attempts.
Think fake order emails, delivery hiccup updates or refund notifications.
‘It’s encouraging that Mango acted quickly to contain the issue and alert customers,’ Briedis said.
‘But the fact that hackers gained access through an external marketing service highlights a growing weak spot: third-party suppliers.’
Retailers must ensure that when using outside services rather than in-house teams that their security is iron-clad, Joseph Rooke, director of risk insights at the cyber intelligence firm Recorded Future’s Insikt Group, told Metro.
Hackers stole M&S customer data by crowbarring the supermarket’s third-party supplier by using social engineering tricks, which often involve criminals pretending to be company representatives.
‘This incident highlights how supply chain security remains one of the biggest challenges for brands; it is often the Achilles’ heel that cyber threat actors target,’ said Rooke.
‘Even when core systems are protected, third parties can introduce risk. This highlights how vital it is for organisations to use intelligence to identify and monitor third-party risks early.’
All experts Metro spoke with advised that Mango shoppers remain ‘vigilant’ in the coming weeks.
Don’t click links and verify communication through the Mango website or mobile phone app, especially in messages that ask to verify details or share codes.
Get in touch with our news team by emailing us at webnews@usnewsrank.com.
For more stories like this, check our news page.
Discover more from USNewsRank
Subscribe to get the latest posts sent to your email.