Cybersecurity incident at El Corte Inglés’ external provider prompts security enhancements

What: A cybersecurity incident at El Corte Inglés's external provider compromises customer data, prompting immediate security measures and regulatory notifications.

Why it is important: This incident underscores the growing vulnerability of retail supply chains to cyber threats, revealing how third-party providers can compromise even well-established security systems in major retail operations.

El Corte Inglés has disclosed a data breach affecting its customers' personal information through an unauthorised access incident involving an external provider. The compromised data includes identification details, contact information, and El Corte Inglés store card numbers, though the company assures these cannot be used for unauthorised transactions. The breach was detected and addressed promptly through the company's security protocols, with immediate notification to relevant authorities. The Spanish retail giant has implemented additional security measures and required enhanced protocols from the supplier to prevent future incidents. While maintaining that store cards remain secure for use across all channels, El Corte Inglés has issued precautionary warnings to customers about potential fraudulent communications, emphasising that the company never requests passwords or security codes. This incident follows a similar cyber attack on Tendam last September, highlighting increasing cybersecurity challenges in Spanish retail. 

IADS Notes: The El Corte Inglés data breach occurs amid a period of heightened cybersecurity challenges in retail. In December 2024, a significant ransomware attack demonstrated the sector's vulnerability to supply chain disruptions and digital threats. This incident gains particular significance as El Corte Inglés has been actively pursuing digital transformation, investing EUR 428 million in upgrading 25 locations as part of a comprehensive strategy through 2030. The breach, coming through an external provider, highlights how even robust digital infrastructure investments can be compromised through third-party vulnerabilities, despite ongoing modernisation efforts.