Adidas has announced it experienced a data breach. This breach was caused by an unauthorized user gaining access via a third-party customer service provider. 

According to the notice, the affected information includes contact information, specifically for customers that have previously contacted the customer service help desk. Passwords, credit card data and other payment information should be safe. 

Below, security leaders discuss the implications of this breach. 

Security Leaders Weigh In

Jonathan Stross, SAP Security Analyst at Pathlock:

This breach underscores the importance of establishing quality gates and data loss prevention for third-party software. While the company’s developments are being secured through agile processes and code reviews, third-party software tends to be blindly trusted. 

For all code changes, regardless of origin, testing and validating adherence to up-to-date security standards is mandatory, even in cases where a third party can be held accountable.

Additionally, third-party software often lacks the reporting API’s and capabilities to alert or block certain access when an unusually high amount of traffic is being generated, which can indicate a data export.

Affected customers should watch out for unsolicited messages, spam, and in general, unusual traffic. Attackers may use this to launch phishing attempts. Even though financial data wasn’t leaked, contact information can still be used for identity fraud.

Jason Soroko, Senior Fellow at Sectigo:

Adidas’ press note is does not offer a vendor name, but it exposes an industry blind spot, which is call-center exhaust. Attackers didn’t chase card data, but they siphoned the valuable commodity inside ticket logs-verified emails, phone numbers, shipping addresses, and conversational snippets that reset security questions in downstream systems. Because many global retailers funnel multiple brands through the same BPO platforms, one breach seeds cross brand credential stuffing and warranty fraud campaigns at scale. 

Under the EU’s NIS2 supply-chain clauses taking effect later this year, Adidas must prove it had vendor controls for data minimization and tokenization and not just PCI segregation. Regulators will ask why PII records were still sitting in a provider’s CRM years after ‘the last sneaker return.’ Treat customer service transcripts as high risk assets and isolate them with zero-trust segmentation before the next attacker does.

Fletcher Davis, Senior Security Research Manager at BeyondTrust: 

This incident underscores a critical truth: third-party breaches swiftly become your organization’s breaches, which highlights the necessity of robust oversight mechanisms. Mandating security assessments, multi-factor authentication, and zero-trust architecture for all vendor access, while deploying real-time identity infrastructure monitoring to cut response times to minutes, as opposed to days.  

Organizations must pivot from merely controlling who has access to also strictly managing how and where access is granted. Deploying conditional access policies that restrict credentials to specific IP ranges or predefined systems can dramatically minimize exposure. Comprehensive visibility into all privileged identities, human and non-human, should be the norm, enabling proactive identification of overprivileged and hidden vulnerabilities before exploitation occurs.