Sabo data breach exposes 3.5 million customer records

Darshana Gupta

21st Jul 2025

A cybersecurity researcher has found a data exposure affecting over 3.5 million records by the Australian fashion brand Sabo from 2015 to this year.

According to a report by VPNMentor, researcher Jeremiah Fowler discovered that the database, which was unencrypted with no password protection, contained sensitive information, including names, physical and email addresses, phone numbers, invoices, shipping information, return details, and other potentially sensitive data. 

Fowler stated that the records appeared to belong to an internal management storage system, used to track sales, returns, and domestic and international correspondence. 

Upon sending Sabo a disclosure notice, Fowler stated that the database was made inaccessible and was restricted from public access. 

It is unclear if the database was owned and managed by Sabo or a third-party contractor, and the duration of the exposure remains unknown.

Data breaches exposing customer invoices pose serious potential privacy and security risks, including phishing campaigns or social engineering attempts. 

Criminals may create fake invoices that quote real order numbers, items purchased, and purchase totals, among other details, to scam customers. 

A new potential risk is a brushing scam, where criminals use personal information obtained from leaked data to send unsolicited packages to random individuals and then use their identities to post fake positive reviews. 

Fowler advised customers to verify the sender’s email address and ensure it matched the company’s official address. He advised against clicking on suspicious links and downloading attachments from unverified senders. 

Some steps Fowler recommended to retailers to ensure the adequate protection of customer data include using multi-factor authentication (MFA) while accessing sensitive information, encrypting documents through password protection or built-in encryption tools, applying firewalls and network segmentation, distributing data across storage systems, and monitoring and auditing for unusual activity. 

Inside Retail has reached out to Sabo but has not received a response.