Cyber Incident Victim: Spar SA

On 21 May 2025, unauthorized access to the IT systems of WSS Detal Sp. z o.o., operator of the online Spar store, resulted in a data breach. The breach exposed personal data consisting of customers' names, surnames, telephone numbers, email addresses, and delivery addresses used for orders. The article notes that the delivery addresses may also correspond to customers' home addresses. The incident was discovered on the same day and reported as a personal data protection violation under Article 34 of GDPR.

The exposed data could be used for unwanted telephone contact, including telemarketing and fraud attempts. Attackers possessing the full set of data might try to defraud money or direct victims to counterfeit websites, increasing credibility by using genuine personal details from the leak. The company warned that such misuse could lead to unwanted calls concerning personal or financial matters.

The company secured access to its IT systems, identified and blocked the source of the unauthorized access, and notified the President of the Office for Personal Data Protection (UODO) of the incident. It also informed affected customers via a communication that included the contact address [email protected] for reporting any misuse and for contacting the legal office. The company declared that it had fulfilled all formal obligations related to the breach and would make every effort to prevent a similar event in the future.