Cyber Incident Victim: Fashion Box S.p.A.

On January 29, 2025, Fashion Box S.p.A., operating globally as Replay, experienced a cybersecurity breach at its Asolo headquarters. The intrusion occurred when an unauthorized third party executed a brute-force attack against the company’s servers, circumventing security measures implemented by its IT provider. This method systematically attempted to decrypt passwords, credentials, and cryptographic keys by testing all theoretically possible combinations until gaining access. The attack was detected by the external provider responsible for managing Fashion Box’s data center, though the exact duration of unauthorized access prior to detection remains unspecified in public disclosures. Initial forensic analyses confirmed the theft of data stored on the compromised systems, including corporate information and personal data belonging to internal and external stakeholders. The breach was confined to Fashion Box’s primary servers, with no evidence of impact on infrastructure belonging to its foreign subsidiaries.

Fashion Box initiated multiple response actions following the breach. The company filed a formal police report and notified relevant data protection authorities in Italy and eight additional jurisdictions: Austria, France, Germany, the Netherlands, Spain, Sweden, Switzerland, and the United Kingdom. Internal stakeholders, including employees, received prompt alerts about the incident. Technical and organizational measures were deployed to strengthen corporate security systems, aiming to reduce the likelihood of future incidents. Public communication regarding the breach was published on the company’s official website, though specific details about the volume of compromised records, exact data types, or financial impacts were not disclosed. The incident marked the second major cyberattack targeting a large enterprise in Northeast Italy’s Treviso province within a short timeframe, following a prior breach at Alf.