Mango has become the latest retailer to be targeted in a cyber attack that saw hackers steal customer data.
The Spanish fashion retailer emailed customers yesterday saying that one of the company’s outside marketing agencies had been cracked open.
In the email, seen by Metro, Mango said the information is limited to ‘personal contact information used in marketing campaigns’.
This includes the shopper’s first name, the country they live in, their postcode, email address and phone number.
Sign up for all of the latest stories
Start your day informed with Metro’s News Updates newsletter or get Breaking News alerts the moment it happens.
The email adds: ‘We inform you that everything is continuing to operate as normal and that Mango’s infrastructure and corporate systems have been compromised.
‘Under no circumstances have your banking information, credit cards, ID/passports or login credentials or passwords been compromised.’
Mango did not name the third-party marketing service it uses, nor did it reveal how many customers may have been affected.
Online stores and physical retail sites are unaffected by the breach.
The Spanish Data Protection Authority (AEPD) has been notified, with Mango saying customers should be wary of ‘suspicious’ email and phone calls from people saying they are from the chain.
The company sends customers around one to two marketing emails a week, according to the monitoring service MailCharts.
The email ends: ‘We regret any inconvenience this specific incident may have caused you. As always, we want to thank you for your trust and commitment to the brand.’
‘On the surface, this is a minor leak – but make no mistake’
M&S, Co-op, Harrods, London’s Heathrow Airport and a nursery chain, among many others, have been targeted by cyber attacks this year.
Large box retailers make easy targets for hackers as they hoover up large amounts of customer data, experts previously told Metro.
Ransomware group Scattered Spider has been blamed for many of the hacks, which also include luxury fashion brands Gucci and McQueen.
Joe Jones, the CEO and co-founder of Pistachio, a cybersecurity attack simulation company, told Metro that the risk to shoppers isn’t just when financial data is swiped.
‘On the surface, this might be a minor leak, with no bank details or identification documents stolen, but make no mistake: this kind of data breach can be hugely damaging,’ he said.
‘They’re more than enough to launch convincing scam operations that can cost businesses millions and put customers at considerable risk.
‘Once this data is out there, there’s no putting it back in the box.’
Marijus Briedis, chief technology officer at NordVPN, said this data can be used to make all sorts of scams.
This includes phishing, when hackers pretend to be from a reputable source to trick people into handing over their details, as well as fake customer service calls or identity theft attempts.
Think fake order emails, delivery hiccup updates or refund notifications.
‘It’s encouraging that Mango acted quickly to contain the issue and alert customers,’ Briedis said.
‘But the fact that hackers gained access through an external marketing service highlights a growing weak spot: third-party suppliers.’
Retailers must ensure that when using outside services rather than in-house teams that their security is iron-clad, Joseph Rooke, director of risk insights at the cyber intelligence firm Recorded Future’s Insikt Group, told Metro.
Hackers stole M&S customer data by crowbarring the supermarket’s third-party supplier by using social engineering tricks, which often involve criminals pretending to be company representatives.
‘This incident highlights how supply chain security remains one of the biggest challenges for brands; it is often the Achilles’ heel that cyber threat actors target,’ said Rooke.
‘Even when core systems are protected, third parties can introduce risk. This highlights how vital it is for organisations to use intelligence to identify and monitor third-party risks early.’
All experts Metro spoke with advised that Mango shoppers remain ‘vigilant’ in the coming weeks.
Don’t click links and verify communication through the Mango website or mobile phone app, especially in messages that ask to verify details or share codes.
Get in touch with our news team by emailing us at webnews@metro.co.uk.
For more stories like this, check our news page.