Hacker working showing third-party breach of customer data

Adidas Warns of a Third-Party Breach That Compromised Customer Data

German sportswear giant Adidas has confirmed that a third-party breach compromised customer data amid ongoing cybersecurity incidents rocking the company in other countries.

“Adidas recently became aware that an unauthorized external party obtained certain consumer data through a third-party customer service provider,” the company stated.

The Germany-based company promptly responded to contain the incident and launched an investigation with leading cybersecurity experts.

“We immediately took steps to contain the incident and launched a comprehensive investigation, collaborating with leading information security experts,” it said.

Adidas third-party breach leaked customer data

Preliminary results of the investigation confirmed that the third-party breach leaked customer data, consisting of the contact information of individuals who reached its help desk.

However, the third-party breach did not leak customer financial details, such as credit card information and bank account numbers.

Meanwhile, Adidas is in the process of notifying impacted customers and filing the necessary regulatory data breach notifications.

“Adidas is in the process of informing potentially affected consumers as well as appropriate data protection and law enforcement authorities consistent with applicable law,” it said.

Additionally, the apparel giant has apologized for the third-party breach and promised to provide timely updates and to support impacted customers in taking the necessary security measures.

Nonetheless, victims should remain vigilant for suspicious activity by monitoring their financial accounts, transaction statements, and credit reports for anomalies.

“Affected customers should watch out for unsolicited messages, spam, and in general, unusual traffic. Attackers may use this to launch phishing attempts,” said Jonathan Stross, SAP Security Analyst at Pathlock. “Even though financial data wasn’t leaked, contact information can still be used for identity fraud.”

Growing list of retailers impacted by cyber attacks

Meanwhile, Adidas has joined the growing list of European retailers impacted by an ongoing hacking campaign likely propagated by the notorious ransomware group Scattered Spider.

U.K. retail giants Marks & Spencer, Harrods, and the Co-op have confirmed falling victim and potentially leaking customer data.

Marks & Spencer recently said the cyber attack will continue to disrupt its online systems “throughout June and into July,” and could cost the company as much as £300 million ($404m) or a third of its annual profits. While the incident bears the hallmarks of a ransomware attack, M&S attributed it to human error.

So far, no evidence suggests that the Adidas third-party breach was related to the hacking campaign targeting U.K. retailers. However, this assessment could change as more information becomes available.

Meanwhile, the identity of the service provider responsible for the third-party breach remains undisclosed, as does the number of victims impacted.

“Adidas’ press note is does not offer a vendor name, but it exposes an industry blind spot, which is call-center exhaust,” said Jason Soroko, Senior Fellow at Sectigo.

Nevertheless, it underscores the need to vet third-party vendors’ cybersecurity practices to ensure the safety and privacy of customer data.

“This breach underscores the importance of establishing quality gates and data loss prevention for third-party software,” Stross noted. “While the company’s developments are being secured through agile processes and code reviews, third-party software tends to be blindly trusted.”

“For all code changes, regardless of origin, testing and validating adherence to up-to-date security standards is mandatory, even in cases where a third party can be held accountable,” added Stross.

Nonetheless, Adidas has suffered customer data breaches in the past. Earlier, it disclosed data breaches in Turkey and South Korea that leaked customer data, including names, phone numbers, email addresses, addresses, and dates of birth, and neither of incidents leaked financial information.

Coincidentally, Adidas linked the South Korean cyber attack to a third-party vendor, suggesting that the recent incident could be part of an ongoing campaign or was related to previous breaches abroad.

“We have confirmed that there was unauthorized access to some consumer data through a third-party customer service provider,” it said on May 16, according to Business Korea.

In 2018, the German sportswear giant also suffered another customer data breach that exposed the contact information, usernames, and hashed passwords of a million people in the United States.