Danish online fashion marketplace Miinto has disclosed a data breach after an unidentified attacker compromised its order management system. The Copenhagen-based company, which connects independent boutiques with shoppers across Europe including the UK, issued an apology and warned customers to remain alert for phishing emails that may attempt to exploit stolen order details.
In a statement, Miinto said it had detected ‘unauthorised access’ to its internal systems and that an investigation was underway. The company did not specify how many records were exposed or whether payment information was involved, but confirmed that the intruder accessed order-related data. The breach is the latest in a string of incidents targeting e-commerce platforms that handle sensitive customer information across multiple jurisdictions.
For UK consumers, the incident underscores the risks of shopping through international marketplaces. Under UK data protection law, the Information Commissioner’s Office (ICO) can investigate breaches affecting British residents even when the company is based abroad. Miinto has not yet confirmed whether it has notified the ICO, but experts say the breach could trigger regulatory scrutiny if customer data belonging to UK users was compromised.
Dr. Eleanor Shaw, a cybersecurity researcher at the University of Bristol, said: “Cross-border e-commerce platforms often hold a treasure trove of personal data — names, addresses, purchase histories — that can be weaponised in targeted phishing campaigns. UK shoppers should treat any unexpected emails referencing a recent Miinto order with extreme caution, especially if they contain links or attachments.”
The breach also highlights the growing tension between the UK’s post-Brexit data adequacy regime and the European Union’s evolving cybersecurity rules. While the UK has its own data protection framework, the EU’s AI Act and the General Data Protection Regulation (GDPR) still influence how British firms handle data flowing from Europe. For UK businesses that rely on EU-based platforms like Miinto, the incident serves as a reminder to audit third-party data processors and ensure contractual protections are in place.
Miinto said it had “taken immediate steps to secure our systems” and was working with external cybersecurity experts. The company advised customers to change passwords and monitor their accounts for suspicious activity. No further details on the timeline of the attack or the identity of the perpetrator have been released.