Get report
Get Your Free Report
Need help in fixing issues? Contact us and we will help you prepare an action plan to improve your risk rating.
Loading captcha...
By submitting this form, you agree to our Terms & Conditions and Privacy Policy .

Most fast fashion brands flunk cybersecurity: 65% have exposed credentials

2025-12-15
BDI Team
Research by BDI Team
Fast fashion brands cybersecurity gaps img

The Business Digital Index (BDI) team conducted external security assessments of some of the world’s most popular fast fashion retailers, including Inditex-owned brands (Pull&Bear, Bershka, Stradivarius, Massimo Dutti), as well as Zalando, SHEIN, ASOS, Boohoo, Mango, Fashion Nova, Forever 21, and others.

Out of the 20 brands we analyzed, only 10% achieved A-grade security.

Perhaps the most concerning finding is that 65% of companies have their corporate credentials actively circulating on the dark web.

This matters because fast fashion platforms likely process hundreds of millions of online transactions each year. Every purchase you make sends your card number, billing address, and personal information through these retailers’ systems. When encryption is misconfigured or credentials are exposed, shoppers face unauthorized charges, identity theft, and account takeovers.

Cybersecurity issues in fashion brands aren’t just theoretical; there have been multiple data leaks in 2025 alone:

  • Mango disclosed a breach in October 2025 after a compromised third-party provider exposed customer data.
  • Marks & Spencer’s 2025 cyberattack erased an estimated £136 million in profit and drove a 40–43% collapse in online fashion sales.
  • Kering’s (parent company of Gucci, Balenciaga, etc.) 2025 breach exposed the personal data of ~ 7.4 million customers globally, and Louis Vuitton reported at least 419,000 affected in Hong Kong alone.

Against this backdrop, the BDI assessment addresses a crucial question: which fast fashion brands can consumers actually trust with their payment information?

Understanding BDI's security assessment

BDI performs external scans of publicly visible systems. Scores from 0–100 are mapped to letter grades from A (low risk) to F (critical risk) using a weighted model across seven security factors.

The model also applies a decay factor to older breach incidents, allowing scores to improve over time when exposure is remediated.

Business Digital Index scoring methodology

The full, detailed methodology can be found here.

Only 10% of fast fashion brands earn top grades

Leading Fast Fashion Brand Risk Analysis

Just two platforms out of 20 (10%) achieved A-grade security:

Pull&Bear (Spain) - Score: 96, Grade A

Pull&Bear received perfect scores in software patching, email security, system reputation, and system hosting, with a strong data breach history score (98.2).

VERO MODA (Denmark) - Score: 96, Grade A

VERO MODA earned perfect scores in software patching, email security, and system hosting, while also getting the highest data breach history score in the analysis (99.2).

B and C grades: 15% of brands reach moderate-to-strong security

Zalando (Germany) – 92, Grade B

Zalando stands out as the only B-grade brand in the entire analysis. It achieves perfect scores (100) in software patching, web application security, email security, system reputation, and system hosting. Its data breach history score of 84.8 is strong but not perfect, and a relatively weak SSL Configuration score of 13.7 prevents it from joining the A-grade group.

Two brands fall into the C-grade band:

River Island (UK) – 88, Grade C

Stradivarius (Spain) – 88, Grade C

Both demonstrate good technical hardening across patching, web application security, and hosting; however, lower data breach history scores suggest that they have notably more credentials exposed than their A-grade peers.

50% Earn D grades

Half of all analyzed brands scored between 70 and 79, placing them in the high-risk D category. These include household names like ASOS (71.5), SHEIN (71.8), Boohoo (75.0), Primark (71.8), and Pretty Little Thing (71.5).

25% Earn F grades

Five brands scored below 70: Nasty Gal (69.1), COS (68.7), Fashion Nova (67.4), Forever 21 (65.6), and Missguided (58.3). Missguided's 58.3 represents the lowest security score in our entire analysis, with email security scoring just 8.8, making spoofing and phishing significantly easier for attackers.

65% of brands have breached credentials

13 out of 20 analyzed brands—65% of the industry—scored zero on data breach history.

A score of zero means active credential exposure right now: credentials from this organization are circulating in dark web marketplaces where they can be purchased for credential stuffing attacks, account takeovers, and identity theft.

SSL configuration issues affect nearly all brands

The average SSL/TLS configuration score in fast fashion brands is just 46.6 out of 100, making it the industry's second weakest security area.

Even the top performers show SSL vulnerabilities.

In practice, poor SSL/TLS configuration can mean:

  • Legacy protocols and weak cipher suites remain enabled.
  • Susceptibility to downgrade or man-in-the-middle attacks.
  • Reduced assurance that “secure” checkout sessions are properly hardened.

In other words, encryption may be present but not configured according to best contemporary practices.

Country-level insights

Spain has the strongest cluster of higher-ranked brands, with one A-grade performer (Pull&Bear) and one C-grade brand (Stradivarius), alongside three D-grade brands from the Inditex group (Massimo Dutti, Mango, Bershka).

Germany contributes one B-grade brand (Zalando)—the only B-grade retailer in the entire dataset—and one D-grade brand (About You). Denmark shows a similar two-brand split, with one A-grade performer (VERO MODA) and one D-grade brand (ONLY).

The United Kingdom has the broadest distribution. Its six brands include one C-grade performer (River Island), three D-grade brands (Boohoo, ASOS, Pretty Little Thing), and two F-grade brands (Nasty Gal and Missguided). This makes the UK home to the largest concentration of lower-ranked retailers in the assessment.

Two analyzed brands are based in the United States, both of which fall into the F grade.

China and Ireland each appear with one D-grade brand: SHEIN (China) and Primark (Ireland).

Sweden is represented by one F-grade brand (COS).

Conclusion

So, should F-rated brands be avoided? Based on the external scans we conducted, they do show a higher likelihood of exposed weaknesses.

If you value your safety online, choosing retailers that earned stronger grades is a practical way to reduce exposure to threats and shop with greater confidence.

About Business Digital Index

The Business Digital Index (BDI) is a cybersecurity reputation platform that provides organizations with real-time security ratings based on scans of their externally-facing systems. BDI continuously monitors external digital assets and evaluates them using a weighted scoring model that considers technical vulnerabilities and real-world attack patterns to deliver a clear, standardized view of the organization's external cybersecurity posture.

It’s important to note that the findings presented are based on external, passive scanning and should be understood as signals of potential weaknesses rather than definitive proof of existing vulnerabilities. Our assessment does not account for internal security measures, compensating controls, or organization-specific practices that may mitigate these risks. The purpose is to highlight areas worth further investigation, drawing on historical breach patterns to illustrate how similar categories of flaws have been exploited in the past.

Get your Business Digital Index report

Take a moment to understand how your company appears to the outside world. This report uses verified public data to highlight potential risks.

Get report