Adidas data breach reveals customer info in vendor attack

Hackers are no longer targeting only tech giants or hospitals. Any business that collects valuable personal information, such as names, phone numbers, email addresses or even basic financial details, is now a target.

Companies that rely heavily on third-party vendors or outsourced customer support are even more at risk, especially if they are not particularly strong in the technology sector.

German retailer Adidas learned this the hard way. The company recently confirmed a data breach involving one of its external partners, and although it has acknowledged the issue, many important details are still missing.

Adidas posted this information on both its German and English websites. However, no specific region or number of affected individuals has been confirmed. The company's statement did clarify that no payment information, such as credit card details, nor passwords were included in the breach. Instead, it involved contact details submitted by users to Adidas' help desk in the past.

In the wake of the breach, Adidas began notifying potentially affected customers directly. The company's email to customers below aimed to reassure recipients and clarify what information was involved. Here is the full text of the notification sent to affected individuals.

Dear customer,

We are writing to inform you of an issue that we recently became aware of which may have impacted some of your data.

What happened

adidas recently learned that an unauthorized external party gained access to certain customer data through a third-party customer service provider.

What information was involved

The affected data does not contain passwords, credit card or any other payment-related information. Nor have any Social Security numbers been impacted.

It mainly consists of contact information relating to customers who had contacted our customer service help desk in the past. This may have included one or more of the following: name, email address, telephone number, gender and/or birth date.

What we are doing 

Privacy and the security of your data is our priority. Upon becoming aware of this incident, adidas took proactive and immediate steps to investigate and contain the incident. This includes further enhancing security measures and resetting passwords for customer service accounts.

What you can do

We are currently unaware of any harm (such as identity theft or fraud) being caused to our customers as a result of this incident. There are no immediate steps that you need to take. Although, as always, please remain vigilant and look out for any suspicious messages. As a reminder, adidas will never directly contact you to ask that you provide us with financial information, such as your credit card details, bank account information or passwords.

Who you can contact

We apologise for any inconvenience caused by this incident.

adidas Team

Despite the official acknowledgment, several questions remain unanswered. Adidas has yet to clarify whether this is a single breach affecting multiple regions or several separate incidents. The lack of transparency around the name of the third-party vendor and the absence of concrete numbers or locations for affected users has created frustration among observers and possibly among customers themselves.

The earlier regional reports from Turkey and Korea might suggest that this incident was either global in scale or that similar third-party vendors were independently targeted. In either case, the company's current handling of the situation has left room for speculation. Adidas claims it is in the process of informing potentially affected customers, but it has not detailed the method or timeline for this outreach.

If you think you were affected or just want to be cautious, here are some steps you can take right now to stay safe from the Adidas data breach:

4. Set up fraud alerts: Requesting fraud alerts notifies creditors that they need extra verification before issuing credit in your name. You can request fraud alerts through any one of the three major credit bureaus; they'll notify the others. This adds another layer of protection without completely freezing access to credit.

6. Be wary of social engineering attacks: Hackers may use stolen details like names or birthdates from breaches in phone scams or fake customer service calls designed to trick you into revealing more sensitive info. Never share personal details over unsolicited calls or emails. Social engineering attacks rely on trust, and vigilance is key.

The Adidas breach shows that even companies with decades of brand equity and a massive global footprint are not immune to lapses in data security. It underscores the need for companies to go beyond basic compliance and actively evaluate the cybersecurity standards of every partner in their ecosystem. Consumers are becoming increasingly aware of the trade-offs they make when sharing their personal information, and brands that fail to meet this moment may find their reputations eroding faster than they expect.

Follow Kurt on his social channels:

Answers to the most-asked CyberGuy questions:

New from Kurt:

Copyright 2025 CyberGuy.com. All rights reserved.