Adidas admits data breach after third-party hack

Customer details exposed

Global sportswear brand Adidas has confirmed that a data breach at a third-party customer service provider has compromised customer data.

While no financial or password information was apparently accessed, the full extent of the breach – which stemmed from a cyberattack – remains unclear.

In a statement released last Friday, the German company said it had recently become aware that "an unauthorised external party obtained certain consumer data through a third-party customer service provider."

The breach, Adidas stated, is limited to customer contact information, such as names, email addresses and potentially other personal details.

The company has not shared the name of the affected service provider, when the breach occurred, or how many individuals may have been impacted. It also remains unclear whether Adidas' own internal systems were accessed during the attack.

"We immediately took steps to contain the incident and launched a comprehensive investigation, collaborating with leading information security experts," the company said.

Adidas is currently in the process of informing consumers who may have been affected and is coordinating with data protection regulators and law enforcement authorities in accordance with legal requirements.

"We remain fully committed to protecting the privacy and security of our consumers, and sincerely regret any inconvenience or concern caused by this incident."

The latest disclosure follows earlier incidents this month, in which Adidas revealed data breaches affecting customers in Turkey and South Korea who had contacted the company's customer service centre in 2024 or earlier.

In those cases, compromised data included names, phone numbers, email addresses, birthdates and physical addresses.

The company also suffered a significant breach in June 2018, when hackers accessed usernames, contact information and encrypted passwords for millions of customers who shopped on Adidas' US website.

This incident follows a series of cyberattacks targeting retailers, including Marks & Spencer and the Co-op, in recent weeks.

The M&S attack is estimated to have cost the firm around £300 million.

Javvad Malik, lead security awareness advocate at KnowBe4, said it "highlights the critical importance of supply chain cybersecurity."

He added that "Adidas's swift response and transparency are commendable... [but] the breach emphasises the need for rigorous oversight of third-party security.”

Chris Hauk, consumer privacy advocate at Pixel Privacy, said: "While the breach didn't expose customers' Social Security numbers or any payment information, the contact information that was exposed could be used by the bad actors of the world to phish for additional information, like banking or credit card info.”

He warned that affected customers should stay alert for suspicious emails and text messages.