Leroy Merlin Spain: Saturne Group Leaks 54,723 Customer Records Including National ID Numbers, Addresses and Loyalty Card Data

On 25 June 2026, the Hackmanac account on X alerted that the cybercriminal group known as Saturne had published free of charge on hacking forums a database claiming to have been extracted from leroymerlin.es, the official Leroy Merlin website for the Spanish market. According to the published information, the package contains 54,723 records of Spanish customers including national ID (DNI) numbers. The data was published for free rather than for sale, indicating the objective is public exposure rather than direct monetisation. Technical audit firm ESIX rated the incident at a severity index of 4.86, requiring immediate containment response. Leroy Merlin had not issued an official statement at the time of writing. The incident is pending forensic verification by the company’s teams, but Saturne’s track record as a group with verified prior attacks does not invite optimism. This is also the second security incident affecting Leroy Merlin in less than seven months: in December 2025, the company publicly acknowledged a cyberattack that exposed customer data in France, notified to the French data protection authority (CNIL).

‍

What do we know about the Leroy Merlin Spain hack?

Facts documented by Hackmanac, Escudo Digital, Hipertextual, ADSLZone and que.es:

• Actor: the Saturne group, identified by its documented history of attacks on mass-market retail companies. Saturne does not typically publish breaches without having genuinely obtained the data.
• Publication date: 25 June 2026, first alert detected in hacking forums.
• Target: leroymerlin.es, the official Leroy Merlin website for the Spanish market. The extracted information reportedly corresponds to June 2026, indicating a recent attack rather than reuse of data from previous breaches.
• Volume: 54,723 customer records. The package was published for free, not for sale.
• Data exposed according to the attacking group: full names, contact details (email and phone), physical shipping addresses, billing history and details, Leroy Merlin loyalty club card codes, and Spanish national ID (DNI) numbers. The latter is the element of greatest severity: the DNI is a permanent, non-alterable personal identifier that enables identity impersonation in administrative, financial and digital processes.
• Data not exposed: financial data (credit card numbers, IBAN), user account passwords. Leroy Merlin manages financial information in separate technical environments aligned with PCI DSS, which limited the direct impact on economic transactions.
• Verification status: the incident is pending forensic verification by Leroy Merlin. The company has not issued an official statement on this specific attack. Escudo Digital notes it is unclear whether it relates to the December 2025 breach or represents a completely separate compromise.
• ESIX severity index: 4.86 out of 5, requiring immediate containment response.
• Prior incident: in December 2025, Leroy Merlin publicly acknowledged a cyberattack in France that exposed customer contact details and loyalty programme information, notified to the CNIL and followed by a formal complaint. Investigations from that incident remain ongoing.

‍

Why the retail sector with loyalty programmes is a priority target

Leroy Merlin is not an isolated case in the cybercrime landscape targeting retail. Over the last twelve months, the Apolo blog has documented similar attacks against Ahorramas (Qilin ransomware, May 2026), Inditex (breach via external provider), and multiple European mass-market chains. Four factors make loyalty-programme retail a first-order target:

1. Loyalty databases are a high-value asset for cybercrime. A loyalty card programme like Leroy Merlin’s concentrates exactly the type of information cybercrime groups seek: full name, email, phone, physical address and, in the Spanish case, DNI. It is a complete customer profile enabling hyper-segmented phishing campaigns and, with the DNI included, identity impersonation attempts in financial and administrative services.
2. The DNI is the most valuable data element in this breach. Unlike an email address or phone number, which can be changed, the Spanish DNI is permanent and non-alterable. With full name, DNI, address and email, an attacker can attempt to take out financial services in the victim’s name, access public administration processes, or create false credentials on platforms that use the DNI as a verification identifier.
3. Mass-market ecommerce architecture is a broad attack surface. The ecommerce platforms of a chain of Leroy Merlin’s size have multiple integration points: CRM, order management systems, logistics platforms, payment providers, digital marketing tools and third-party APIs. Each integration is a potential compromise vector. The December 2025 attack on Leroy Merlin France originated in an external technology provider, not directly in the company’s systems.
4. The volume of accumulated data makes the impact of a breach massive. Leroy Merlin has over 100 stores in Spain and millions of customers registered in its loyalty programme. Even a breach affecting a small fraction of that database (54,723 records) generates significant regulatory and reputational impact due to the type of data exposed, not the volume.

‍

How these attacks against ecommerce platforms occur

Without public forensic confirmation of the specific vector in this case, the modus operandi documented in similar retail sector breaches in 2026 follows these patterns:

1. Exploitation of vulnerabilities in the ecommerce stack or its integrations. Mass-market ecommerce platforms typically use combinations of proprietary software, SaaS platforms and multiple third-party integrations (CRM, marketing automation, logistics). A vulnerability in any layer of the stack, particularly in less-audited integrations, can open access to the customer database.
2. Access via external provider (supply chain attack). The December 2025 Leroy Merlin France incident was caused by an external technology provider. The supply chain attacks we documented on the Apolo blog throughout June (Claude Code GitHub Action, Cordyceps, ShinyHunters via Salesforce) confirm this vector is systematic in 2026.
3. Exfiltration and forum publication. Once the database is obtained, the Saturne group opts for free publication rather than sale. This may respond to different motivations: discrediting the company, signalling the breach as a warning to negotiate privately, or simply demonstrating technical capability. The practical effect is identical: the data is publicly available to any actor who wants to exploit it.

‍

Key lessons for businesses and executives

• DNI data in customer databases requires first-level protection. Many companies collect their customers’ DNI for billing, warranty processes or access to loyalty programme benefits. That data must be encrypted at rest, with access audited and reviewed periodically, and with a minimum retention policy: if the DNI is not necessary for current operations, it should be deleted.
• The obligation to notify the AEPD is not optional. GDPR and Spain’s LOPDGDD require notifying personal data breaches to the Spanish Data Protection Agency within a maximum of 72 hours from when the organisation becomes aware of the incident. When the breach affects particularly sensitive data such as the DNI, notification may also be mandatory for the affected individuals themselves. Non-compliance with these deadlines can result in administrative sanctions independent of the original incident.
• Forensic verification cannot take days. An incident still classified as pending verification 24 hours after public publication signals that incident response processes need to accelerate. When data from 54,000 customers is publicly available in hacking forums, the forensic verification timeline is measured in hours, not days.
• Loyalty programmes require a dedicated data audit. The type of data concentrated in a loyalty programme (name, DNI, email, phone, address, purchase history) creates a customer profile that exceeds the individual parts in value and risk. Many companies do not audit the security of their CRM systems and loyalty platforms with the same rigour they apply to payment systems, despite the regulatory and reputational impact of a breach being comparable.

‍

Cybersecurity as a strategic priority

Leroy Merlin becomes the second major DIY retailer with a presence in Spain affected by a data breach in 2026, following the pattern the Apolo blog has documented this month: systematic attacks on mass-market retail companies with massive customer databases. Ahorramas in May, Leroy Merlin now. The common pattern is the same the 2026 DBIR confirms across the industry: customer data is the most valuable asset in cybercrime in 2026, and loyalty platforms and ecommerce are the repositories where that data concentrates with less relative protection than financial systems. For security managers and CEOs of retail companies with loyalty programmes in Spain, today’s question is direct: do you know exactly what personal data you store about your customers, where it is, who has access to it, and how long it would take you to detect and notify a breach like Leroy Merlin’s?

‍

Apolo Cybersecurity: ecommerce platform security and loyalty data assessment

At Apolo Cybersecurity we help retail and ecommerce businesses assess and strengthen the protection of their customer databases: ecommerce platform and CRM security auditing, review of the collection and retention policy for sensitive personal data (DNI, addresses, purchase history), analysis of GDPR and LOPDGDD breach notification compliance, assessment of third-party integration security (digital supply chain), and incident response protocol design to ensure forensic verification time is measured in hours.

If your company has a loyalty programme with Spanish customers’ DNI data and you are not clear how long it would take you to detect and notify a breach like Leroy Merlin’s, today is the time to assess it.

‍