Summary
Adidas disclosed a data breach impacting customer contact information stolen via a third-party customer service provider. Financial data remains safe, and Adidas is actively investigating and notifying affected customers. This incident highlights the increasing risk of third-party breaches.
** Main Story**
Adidas disclosed a data breach on May 23, 2025, stemming from a cyberattack on a third-party customer service provider. This incident has exposed personal information of customers who’ve interacted with Adidas’s customer service help desk. While the exact number of affected individuals remains undisclosed, the breach potentially involves a considerable number of customers across multiple regions, including the U.S. and Europe.
Stolen Data and Potential Risks
The stolen data primarily comprises customer contact information, including full names, email addresses, phone numbers, postal addresses, and dates of birth. Adidas explicitly stated that no sensitive financial information like passwords, credit card details, or other payment-related data was compromised in this breach. Although seemingly less critical than financial data, this leaked information presents a considerable risk for phishing attacks and social engineering scams. Cybercriminals can exploit this data to create convincing phishing emails, posing as Adidas representatives and tricking customers into revealing sensitive information like login credentials or financial details. Additionally, the stolen data could be used for identity theft or other fraudulent activities.
The Breach and Adidas’s Response
The breach occurred at a third-party customer service provider used by Adidas, and investigations reveal no evidence suggesting Adidas’s internal systems were directly compromised. The exact attack vector utilized by the cybercriminals remains undisclosed, but it likely involved phishing, credential stuffing, or an exploited vulnerability in the service provider’s systems. This incident aligns with a broader trend of retail sector breaches exploiting vulnerabilities within supply chains. Adidas acted swiftly upon discovering the breach, taking immediate steps to contain the incident and launching a comprehensive investigation in collaboration with leading information security experts. The company has also notified relevant data protection and law enforcement authorities, adhering to applicable laws like GDPR. Currently, Adidas is in the process of informing potentially affected consumers and advising them on protective measures.
Lessons Learned and the Future of Cybersecurity
This data breach serves as a stark reminder of the vulnerabilities organizations face through their third-party service providers. Often overlooked in security assessments, these external partners can become weak links in an otherwise robust security posture. The incident emphasizes that cybersecurity requires a holistic approach extending beyond an organization’s internal infrastructure. Regular risk assessments of third-party vendors, continuous monitoring of external integrations, and extending security tools’ visibility across hybrid and multi-party environments become crucial. The Adidas breach further underscores the increasing importance of AI-based cybersecurity solutions in today’s threat landscape. AI and machine learning offer the adaptive capabilities required to identify and respond to constantly evolving third-party threats, offering real-time anomaly detection and enhanced threat intelligence. As the retail sector becomes a prime target for cybercriminals due to its vast consumer data and reliance on outsourced support, this incident highlights the shared responsibility of cybersecurity. Not just an IT concern, security requires alignment across legal, procurement, and operations teams to effectively manage vendor risk. Furthermore, this incident is not Adidas’s first encounter with a cyberattack. In 2018, the company experienced a breach affecting millions of shoppers on its U.S. website, exposing contact information, usernames, and encrypted passwords. These recurring incidents underscore the persistent threat to organizations and the constant need for vigilance and improvement in security practices. As of today, May 29, 2025, investigations are ongoing, and further details regarding the impacted service provider, the breach timeline, and the specific number of affected individuals remain undisclosed. This information is current as of today and is subject to change as the investigation unfolds.
Given the repeated breaches Adidas has experienced, what specific changes to their vendor risk management program have been implemented since the 2018 incident, and how are these being measured for effectiveness?
That’s a great question regarding Adidas’s specific changes to their vendor risk management program post-2018. While details are limited, this incident underscores the need for robust third-party security. Strong vendor risk management programs need continuous monitoring and regular risk assessments, and mature programs will have metrics to determine effectiveness. Let’s discuss how other companies are measuring the effectiveness of their programs.
Editor: StorageTech.News
Thank you to our Sponsor Esdebe
The mention of AI-based cybersecurity solutions is interesting. How can organizations ensure that these AI systems are continuously updated to recognize new and evolving threats from third-party vendors, and how are these systems tested for bias in identifying potential risks?