Breach, Threat Management, Data Security

Tread carefully: Adidas U.S. retail website breached

Several million online retail customers of German shoe and apparel manufacturer Adidas may have had their personal information compromised in a data breach involving an unauthorized third party.

The $24.77 billion company on Thursday acknowledged in a brief online disclosure that it has begun informing consumers who made purchases via about a "potential data security incident," after an unnamed party claimed to acquire data linked to Adidas shoppers.

The breached data includes contact information, usernames and encrypted passwords, but apparently not credit card or personal fitness information. While the company's online statement did not put a number of how many consumers have been affected, multiple news reports have cited an Adidas spokesperson as saying "a few million customers" were involved.

In response to the incident, Adidas is "working with leading data security firms and law enforcement authorities to investigate the issue," the company says in its statement.

James Lerud, head of the behavioral research team at Verodin, said in emailed comments that the lack of stolen financials and health information, coupled with the fact that the stolen passwords were encrypted, "leads me to believe that Adidas is following best practices." Nevertheless, he added, "Businesses should take this as a warning that even if you follow best practices, breaches can still happen. Security controls need to be continuously measured, evaluated, and updated to stay ahead."

“The Adidas breach is just another example of how organizations need to maintain security-in-depth to protect their cyber posture," said Mukul Kumar, CISO and vice president of cyber practice at Cavirin. "Here, they need to automate continuous assessment of their servers, and, if they are in the cloud, their cloud security posture, to ensure that any gaps are identified and remediated. Given GDPR, this is even more vital for Adidas given that their HQ is in the EU.”

“Retail websites have become a fertile hunting ground for attackers targeting customer data," said Fred Kneip, CEO at CyberGRX, also in emailed comments. "Even when organizations do everything they can do safeguard their data, attackers have gotten very good at going through third parties to find a way in." In this instance, however, it has not yet been stated how the unauthorized party accessed the information.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.