REPLAY FIDELITY CARDS
CYBER ATTACK ON THE SERVERS OF FASHION BOX S.P.A. - MANUFACTURER AND WORLDWIDE DISTRIBUTOR OF CLOTHING, ACCESSORIES AND FOOTWEAR UNDER THE “REPLAY” TRADEMARK (hereinafter also the “Company”)
What happened
On January 29, 2025, the Company’s provider of IT Services, a multinational market leader (the “IT Vendor”) who, inter alia, manages the Company’s data center, informed the Company that it had detected a cyber-attack by an unauthorized third party (the “Hacker”), who was subsequently identified as a cyber-criminal (or group of cyber-criminals).
The Hacker accessed Fashion Box S.p.A. servers through a brute force attack. A brute force attack is a hacking method that uses systematic trial and error (automated) attempts to crack passwords, login credentials and encryption keys.
The Hacker appears to have succeeded, despite the multiple security measures implemented, in copying and exfiltrating numerous documents from the servers, causing a loss of confidentiality of some information contained within the Company’s systems.
The cyber-attack appears to have affected only the servers of Fashion Box S.p.A., whereas the infrastructures of its subsidiaries were not involved. However, as the parent of a group of companies located in various European and non-European countries, in addition to data subjects resident in Italy, the Company may process information also in respect of those resident abroad. Such processing may be conducted by Company, depending on the circumstances, as Controller or Processor in accordance with the relevant provisions of the European General Data Protection Regulation no. 2016/679 (“GDPR”).
To whom this communication is addressed and what information was involved
Fashion Box S.p.A. took immediate action to establish what had occurred and, after having carried out thorough investigations and controls, it emerged that data saved in the Company’s Servers had been exfiltrated, such data concerning not only information regarding the Company’s business but, possibly also personal data of internal and external stakeholders (such as employees, former employees, collaborators, consultants and suppliers).
The affected data - as the Company has already reported via individual communications to all subjects known to it pursuant to Art. 34 of the GDPR - is currently limited to information in connection with the relationships between the Company and the stakeholders. Such data may therefore fall, based on the type of data subject, into the following categories: identification and contact data, ID documents, economic details (e.g. IBAN) and any data relating to trade union membership, provided that these have been furnished to the Company.
What measures have been taken
Since the incident was detected, Company’s IT team and the IT Vendor have been working systematically to adopt all necessary measures to contain the effects of the cyber-attack, analyze its origin and strengthen the Fashion Box Group’s systems to further protect Company information and any personal data.
In addition, in compliance with the obligations imposed by the applicable legislation on the protection of personal data (including the European General Data Protection Regulation 2016/679 - GDPR), the Company promptly notified the security incident to the competent local authorities (to date: Austria, France, Germany, the Netherlands, Spain, Sweden, Switzerland and the United Kingdom).
The Company’s Teams who are managing the incident are actively working to resolve the cyber-attack as a matter of priority and will continue to conduct regular reviews of its IT systems and constantly introduce updates and improvements to its infrastructure.
Contacts
For any clarification or further information you can contact the Group Data Protection Officer at the following address: dpo@replay.it
This form is protected by reCAPTCHA - the Google Privacy Policy and Terms of Service apply.
This form is protected by reCAPTCHA - the Google Privacy Policy and Terms of Service apply.