Adidas Reports Data Breach at Third-Party Provider, Customer Data Compromised
A situation initially identified as a localized data incident at two adidas locations has escalated into a global security breach involving a third-party provider.
Adidas, the renowned German sportswear manufacturer, has confirmed that hackers accessed the systems of one of its external providers, resulting in the unauthorized transfer of customer data.
This announcement follows reports of two regional data breaches impacting adidas Türkiye and adidas Korea. The company has since clarified that data belonging to numerous global customers was affected due to the intrusion.
You have reached your limit of free articles for this month.
In a formal statement, adidas indicated that an unauthorized external entity gained access to specific consumer data via a third-party customer service vendor.
“We promptly initiated containment actions and are conducting a thorough investigation in collaboration with leading cybersecurity experts,” the company reported.
According to adidas, the compromised data does not include passwords, credit card information, or any payment-related details. Instead, it primarily consists of contact details from consumers who had previously reached out to customer service.
Earlier regional breach reports confirmed that the data exfiltrated pertained to individuals who engaged with customer service. An email from adidas Turkey detailed that the compromised data included full names, phone numbers, dates of birth, gender, and email addresses.
However, adidas Turkey reassured that no passwords or financial data were accessed during the breach.
With a vast international clientele, adidas operates in over 50 countries and boasts approximately 303 million members in its adiClub loyalty program. Given that 41% of sneaker owners in the U.S. have purchased adidas products, the breach could potentially impact millions of customers who have previously engaged with customer service.
The company has commenced notifying affected customers in accordance with legal protocols. “adidas is informing potentially impacted consumers as well as relevant data protection and law enforcement agencies,” the statement mentioned.
“We remain committed to safeguarding our consumers’ privacy and security, and we sincerely apologize for any inconvenience or distress this incident may have caused.”
As of now, there has been no indication from threat actors claiming responsibility for the breach.
Daniel Croft
Daniel Croft, hailing from Western Sydney, is a dedicated journalist focused on technology. A graduate of Macquarie University, he has contributed to various publications including Australian Aviation, Cyber Security Connect, and Defence Connect since joining Momentum Media in 2022. Outside of journalism, Daniel enjoys music and plays in local bands around Sydney.
In analyzing this incident, it appears to align with certain tactics and techniques within the MITRE ATT&CK framework. Specifically, the breach may involve initial access through compromised third-party systems—highlighting the importance of robust vendor risk management protocols. Additionally, the unauthorized actor’s ability to exfiltrate data indicates potential exploitation of vulnerabilities within the provider’s security architecture. Businesses should take this incident as a reminder to evaluate their own cybersecurity defenses against similar threats.
