Inditex Under Siege — Massive Data Breach Fuels New “Bershka” Identity Theft Ring

Integrated Threat Analysis

Brinztech has identified a high-severity, multi-stage threat campaign targeting the global fashion conglomerate Inditex (parent of Zara, Bershka, Massimo Dutti, etc.). We are connecting two critical intelligence streams:

1. The Strategic Compromise (Nov 2025): A massive database containing millions of Inditex customer records was allegedly breached and put up for sale on a hacker forum on 03/11/2025.
2. The Tactical Exploitation (Feb 2026): A new, highly organized scam ring has emerged on bershka-europe.com, targeting users with fake “job offers” that pivot into financial fraud and identity theft.

Assessment: It is highly probable that the 2025 Data Breach provided the contact list (emails and phone numbers) that is now being used to target victims for the 2026 Scam Operation.

Part 1: The Root Cause — Global Inditex Database Leaked

The dark web news reports the sale of a “complete archive” of Inditex’s e-commerce operations. This is the Source of Truth for the current wave of attacks.

• The Data: The leak reportedly contains Full PII (Names, Emails, Phones), Physical Addresses, Hashed Passwords, and Order Histories for brands like Zara and Bershka.
• GDPR Catastrophe: As a Spanish entity, Inditex faces a “worst-case scenario” under GDPR. Failure to secure this data could result in fines up to 4% of global revenue.
• The “Credential Stuffing” Threat: Millions of users who reuse their Zara/Bershka passwords on banking or email sites are in immediate danger of account takeover.

Part 2: The Active Exploit — The “Bershka-Europe” Scam

Using the credibility of the brand (and likely the leaked contact data), scammers have launched a sophisticated fraud operation:

• The Bait: Victims are contacted via messaging apps (Telegram) for a “task-based commission job” to optimize sales metrics.
• The Trap (Sunk Cost): Users are shown a dashboard on bershka-europe.com (created Feb 11, 2026) where they “earn” €70. To withdraw it, they must deposit €100 of their own money.
• The Pivot to Identity Theft: When victims refuse to pay, the scammers shift tactics. They demand Passports and Utility Bills under the guise of “HR Contract Preparation.” This data is harvested to bypass KYC checks on crypto exchanges, allowing the criminals to launder money in the victim’s name.

Key Cybersecurity Insights

This incident represents a “Full Spectrum” attack on a brand’s ecosystem:

• Hyper-Targeted Phishing: With access to Order History from the breach, scammers can craft perfect lures. Instead of generic spam, a victim might receive: “Hello [Name], regarding your recent Zara order #[Real_ID]…” leading to the fake job offer or a payment page.
• Brand Reputation Erosion: A single breach at the parent level (Inditex) has compromised trust across all subsidiaries. The scam on bershka-europe.com works because users trust the Bershka name.
• Ephemeral Infrastructure: The scam domain was registered the same day the attacks ramped up. This “burn and churn” tactic, combined with Telegram anonymity, makes attribution nearly impossible without the initial breach data.

Mitigation Strategies

To protect consumers and the corporate entity, the following strategies are recommended:

• For Inditex: Immediate mandatory password resets for all global accounts across all brands (Zara, Bershka, Pull&Bear). A 72-hour GDPR breach notification to the Spanish AEPD is critical to mitigate regulatory fines.
• For Consumers:
  • The “Pay-to-Work” Rule: Legitimate employers (like Bershka) never ask for a deposit to start working. If you are asked to pay, it is a scam.
  • Check the Domain: Official Inditex jobs are listed on inditexcareers.com. Any site like bershka-europe.com or zara-jobs-vip.com is fraudulent.
  • Freeze Credit: If you provided your ID or Utility Bill to the scammers, immediately freeze your credit and contact your bank to flag potential identity theft.
• Network Blocking: Corporate firewalls should blacklist bershka-europe.com immediately.

Secure Your Business with Brinztech — Global Cybersecurity Solutions

Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback?

For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com