Adidas confirmed that a third-party customer service provider's vulnerability allowed a threat actor to steal company data.
Contact details of customers who have previously dealt with the Adidas customer service help desk are among the impacted data. However, passwords, credit cards, and other financial or payment information are not included.
"Adidas is in the process of informing potentially affected consumers as well as appropriate data protection and law enforcement authorities consistent with applicable law," the company explained in a notification on its website.
It has subsequently initiated an investigation to gather facts about a breach and is working with information security professionals. Adidas did not reveal the name of its third-party customer support provider. It also remains unknown who carried out the strike.
"This incident underscores a critical truth: third-party breaches swiftly become your organization's breaches, which highlights the necessity of robust oversight mechanisms," noted Fletcher Davis, senior security research manager at BeyondTrust. "Mandating security assessments, multifactor authentication, and zero-trust architecture for all vendor access, while deploying real-time identity infrastructure monitoring to cut response times to minutes, as opposed to days.”
Adidas is not the first well-known brand to have experienced data leaks or cyberattacks in recent years. Recent ransomware attacks have targeted the Co-op Group, Marks & Spencer, and the luxury shop Harrods. Marks & Spencer reported that its customers' personal information was stolen during the incident, and that retail operations had been affected.
Scattered Spider was possibly responsible for the attack, unleashing DragonForce ransomware against the UK retailer, forcing Marks & Spencer to estimate a $400 million hit on earnings.
Establishing strong defense
Forward-thinking merchants are implementing new techniques to mitigate third-party risk. Consider the following best practices:
Zero trust approach: Treat every provider as a potential risk and restrict data access to what is absolutely essential.
Incident simulation: Conduct regular exercises that simulate third-party breaches and test your response procedures.
Continuous vendor assessment: Use automated systems to track vendor security status all year, not just during annual audits.
The Adidas breach was not an isolated incident. It is a warning to the entire retail sector. As hackers become more adept, businesses must consider third-party risk as a key priority rather than just a compliance concern.
