Cyber Incident Victim: Spar
Date:
May 2025
Location:
Poland
Summary
Spar experienced a cyberattack that resulted in unauthorized access to its online store systems and the exposure of customers’ personal data, including names, phone numbers, email addresses and delivery addresses. The breach raised the risk of unwanted telephone calls, SMS or email contacts and potential fraud attempts using the disclosed information. In response, the company secured its IT infrastructure, identified and blocked the source of the intrusion, and notified the relevant data protection authority.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 21 2025, unauthorized access occurred to the IT systems of WSS Detal Sp. z o.o., operator of the Spar online store, resulting in a leak of personal data including names, surnames, phone numbers, email addresses, and delivery addresses. The breach affected customers of the internetowy Spar shop located at ul. Druskienicka 12, 60-476 Poznań. The company disclosed the incident under article 34 of the GDPR, sending a notification to affected individuals on the same day. The notification listed the specific categories of data that were compromised: imię, nazwisko, nr telefonu, adres e-mail oraz adres dostawy. It also noted that the breach could lead to unwanted telephone contact such as telemarketing or fraud attempts.
In response, WSS Detal secured its information systems to prevent further unauthorized access. The company identified and blocked the source of the breach. It reported the incident to the President of the Office for Personal Data Protection (UODO) as required by law. To facilitate communication, the company provided the email address [email protected] for customers to report any suspected misuse of their data. The same email address can be used to contact the company's legal office for further questions about the breach. WSS Detal affirmed that it had fulfilled all formal obligations related to the incident, including regulator notification. The company declared its intention to take all necessary measures to avoid similar events in the future. It also stated that it would continue to ensure the secure processing of personal data.
The communication highlighted that the exposed delivery addresses could also be used as home addresses, increasing the potential for social engineering attacks. It noted that possessing a full set of personal data could enhance the credibility of fraudulent schemes targeting affected individuals. The company indicated that it would monitor the situation and cooperate with authorities as needed. No further technical details about the attack vector or threat actors were disclosed in the public statements.