Adidas on Tuesday officially confirmed that a third-party breach has led to the compromise of customer data, but questions remain as to whose customer data was impacted and where.
The German sportswear company was reported by Cybernews to have sent breach notifications to its regional customers in Turkey and Korea earlier this month.
But now, it appears Adidas has posted an official notice on both its German and English-language websites about what could be one singular cyber incident impacting its entire network – or possibly a third breach impacting another Adidas regional network.
Titled “Data Security Information,” Adidas stated it recently became aware “that an unauthorized external party obtained certain consumer data through a third-party customer service provider.”
Cybernews, which happened to cover both the Adidas Turkey and the Adidas Korea breaches as they hit the news cycle in their respective countries, has reached out to Adidas for the second time this month, looking for further clarification. A spokesperson for the company referred Cybernews back to the statement provided on the website.
The Korean breach notice states the attackers were able to obtain information customers submitted to the Adidas customer center in 2024 and previous years.
Reportedly, the leaked information includes names, email addresses, phone numbers, dates of birth, and other personal details, as was similarly reported in the Turkish media.
US and EU customer data impact unknown
The athletic wear and sneaker company's website said it is "currently informing potentially affected consumers," although it stopped short of revealing how many customers may have been affected and where those customers might be located.
Furthermore, Adidas did not name the third-party customer service provider.
Adidas did provide some information about the type of customer data impacted, assuring its online shopping clientele that “the affected data does not contain passwords, credit cards, or any other payment-related information.”
“It mainly consists of contact information relating to consumers who had contacted our customer service help desk in the past,” it said, inline with the other breaches.
“While Adidas has claimed that the stolen data from this breach excludes any payment-related information, the data still remains highly valuable for threat actors to exploit for identity theft, phishing themes, and other fraudulent activities.”
- Ryan Sherstobitoff, SVP of Threat Research & Intelligence at SecurityScorecard
Ryan Sherstobitoff, Senior Vice President of Threat Research & Intelligence at SecurityScorecard, pointed out that retailers are known to operate in data-rich environments, handling troves of personally identifiable information (PII), loyalty data, and often payment credentials.
Adidas AG is the largest sportswear manufacturer in Europe and is second only to Nike worldwide, according to Statista.
With a recorded net sales of 21.4 billion euros in 2023 (with nearly half of those sales in Europe), the Herzogenaurach, Germany-based company produced over 310 million pairs of shoes that same year and another 330 million sportwear pieces. The free Adidas rewards program (adiClub) boasts over 303 million members worldwide.
“While Adidas has claimed that the stolen data from this breach excludes any payment-related information, the data still remains highly valuable for threat actors to exploit for identity theft, phishing themes, and other fraudulent activities,” Sherstobitoff said.
The SVP urged Adidas customers to “stay vigilant for suspicious communications,” as attackers could attempt to exploit the recent breach with targeted phishing attacks under "the pretense of legitimate communication.”
Another blow to the retail industry
In the post, Adidas said it “immediately” had taken steps to contain the incident and has since launched a “comprehensive investigation,” bringing in outside cybersecurity experts. The sportswear company also said it had notified the appropriate data protection and law enforcement authorities consistent with applicable law.
“We remain fully committed to protecting the privacy and security of our consumers, and sincerely regret any inconvenience or concern caused by this incident,” Adidas said.
Still, the admission of yet another breach of a major name-brand retailer is a definite blow to an already shaky consumer confidence.
Marks & Spencer (M&S) – breached over Easter weekend in a month-long ransomware attack – last week confirmed it was also compromised via a third-party vendor, sources say, the global business consulting firm Tata Consulting Services (TCS).
"The recent breaches at Dior, M&S, Harrods, and Co-Op in the last month alone make it clear that this is more than just a passing trend," he said, adding that the attackers accessing Adidas’ data through a third-party vendor only highlights the "threat of interconnected supply chains, which continue to be a major entryway for threat actors.”
"Retailers have become high-value targets for cybercriminals,” said Sherstobitoff.
“These attacks are not isolated events; they represent a growing pattern exposing a deeper, systematic vulnerability within the retail industry.”
Furthermore, the M&S, Co-op, and Harrods cyberattacks have all been claimed by the Scattered Spider ransomware group.
Sherstobitoff said that given the frequency and severity of recent attacks, security can no longer be a back-burner issue for retailers.
“A proactive, multi-layered cybersecurity strategy is essential – one that extends beyond internal systems to include continuous monitoring of the entire external attack surface, including third-party vendors and the broader supply chain," he said.
Your email address will not be published. Required fields are markedmarked