A Hole In The Sole: Adidas Breach Highlights Third-Party Risk In Retail

Adidas has confirmed a data breach exposing customer information due to a compromise at a third-party customer service provider. The breach did not affect Adidas’s internal systems and did not expose passwords or payment data. However, personal contact information of individuals who interacted with Adidas customer support was leaked.

Severity Level: High

INCIDENT OVERVIEW:

1. Date Disclosed: May 23, 2025
2. Target: Adidas (via third-party customer service provider)
3. Impact Area: Contact data of customers who interacted with Adidas’ helpdesk
4. Disclosure: Public statement issued, affected customers and authorities notified.

HOW THE BREACH HAPPENED:

1. Method of Entry: Cybercriminals accessed Adidas customer information via a compromised third-party customer service provider.
2. No evidence that Adidas’s internal systems were breached.
3. The specific attack vector (phishing, credential stuffing, or exploited vulnerability) has not been publicly disclosed.
4. Part of a wider wave of retail sector breaches through supply chain compromises.

DATA STOLEN DURING THE BREACH:

1. The breach did not include: Payment details, Passwords
2. The breach did include: Full names, Email addresses, Phone numbers, Postal addresses, Dates of birth
   • This data was tied to individuals who contacted Adidas customer service.

ROOT CAUSE (BASED ON CURRENT VISIBILITY):

1. Confirmed: Compromise occurred at third-party vendor
2. Unconfirmed but likely:
   • Inadequate security controls or vetting at third-party provider
   • Possibly exposed web service, insecure access credentials, or employee compromise
   • Trend: Mirrors incidents affecting other retailers where threat actors exploited external support systems.
3. Lack of Details:
   • No CVEs, malware, or specific tools attributed yet.
   • Name of the compromised vendor and timeline of initial intrusion are undisclosed.

LESSONS LEARNED:

• Despite strong internal controls, organizations remain vulnerable through external service providers—often overlooked in security assessments.
• The breach underscores that retail, due to its extensive consumer data and outsourced support, is now a primary target for cybercriminals.
• Security Is a Shared Responsibility: The incident highlights that cybersecurity cannot be siloed within IT—legal, procurement, and operations must align on vendor risk.

Recommendations:

1. Mandate Security Assessments: Require all third-party vendors—especially those handling customer data—to undergo annual security audits and risk assessments.
2. Include cybersecurity requirements in vendor SLAs (e.g., data encryption, MFA, logging, breach notification within 24h).
3. Only collect and store customer data that is strictly necessary for support operations.
4. Encrypt sensitive contact data at rest and in transit, even in third-party systems.
5. Apply tokenization or hashing to identifiers (email, phone) stored in support systems.
6. Restrict access to customer data using identity-based segmentation and least privilege access models.
7. Run phishing simulation campaigns to train employees and customers on spotting social engineering threats post-breach.
8. Include third-party breach scenarios in your Incident Response playbooks, including breach coordination procedures.
9. Conduct joint breach simulation exercises with critical vendors every 6–12 months.
10. Apply rate limiting, monitoring, and authentication on any APIs exposed to third-party services.

Source:

• https://the420.in/adidas-cyberattack-data-breach-hits-retail-sector-globally/
• https://www.bitdefender.com/en-us/blog/hotforsecurity/adidas-customers-personal-information-at-risk-after-data-breach
• https://www.adidas-group.com/en/data-security-information

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.