Adidas has disclosed a data breach involving a third-party service provider, resulting in the unauthorized exfiltration of consumer data across multiple global regions.
Third-Party Provider Breached, Not Regional Systems
What initially appeared to be limited to regional data breaches in Adidas Turkey and Adidas Korea has now been confirmed as a third-party incident affecting a broader base of customers. According to a company statement, a threat actor accessed consumer data through a third-party customer service provider.
“Adidas recently became aware that an unauthorized external party obtained certain consumer data through a third-party customer service provider,” the company said.
Adidas added that it acted quickly to contain the incident and began a full investigation in collaboration with information security specialists.
Customer Service Data Exfiltrated, Payment Information Unaffected
The compromised information mainly relates to consumers who had previously contacted Adidas customer service help desks. The company emphasized that no passwords, credit card details, or payment data were exposed.
In breach notification emails sent by Adidas Turkey, impacted data was described as:
- Full names
- Phone numbers
- Dates of birth
- Gender details
- Email addresses
Again, no financial information or login credentials were included in the breach.
Global Impact Possible Due to Scale of Operations
With a footprint in over 50 countries and a consumer membership base of over 303 million adiClub members, the potential scope of the breach could extend far beyond the initial regional disclosures.
Adidas has started notifying affected customers and is complying with applicable legal and regulatory obligations.
“Adidas is in the process of informing potentially affected consumers as well as appropriate data protection and law enforcement authorities consistent with applicable law,” the company stated.
“We remain fully committed to protecting the privacy and security of our consumers, and sincerely regret any inconvenience or concern caused by this incident.”
As of now, no threat actor has publicly claimed responsibility for the breach.
