Adidas is the latest retailer to fall victim to a cyberattack.
The German sportswear brand said on Friday that an unauthorized external party obtained certain consumer data through a third-party customer service provider.” The company said on its website that it immediately took steps to “contain the incident.” It also launched a comprehensive probe on the matter and is collaborating with leading information security experts.
Adidas emphasized that affected data “does not contain passwords, credit cards or any other payment-related information.” The accessed information was centered on contact information of consumers who had contacted the brand’s customer service help desk in the past. The company said it is in the process of notifying potentially impacted consumers, as well as appropriate data protection and law enforcement authorities.
“We remain fully committed to protecting the privacy and security of our consumers, and sincerely regret any inconvenience or concern caused by this incident,” the company said in a statement.
Adidas did not indicate the number of consumers who were potentially exposed to the cyberattack.
Data breaches have been around for years. The largest were the Yahoo data breaches in 2013 and 2014, involving over 3 billion user accounts. In 2013, American mass discounter Target Corp. suffered a breach that compromised 40 million credit and debit card records—and 70 million customer records—when hackers gained access to the point-of-sale (POS) systems of one of the retailer’s vendors during the holiday season. It was a costly one for the discounter as it determined that the total cost of breach was $202 million, including the $18.5 million it paid in a multi-state settlement and the loss of sales as wary customers in the aftermath elected to shop elsewhere.
A cyberattack in 2023 involving personally identifiable information of customers impacted 35 million customers of apparel giant VF Corp. That same year, 10 million JD Sports customers had their information stolen, which included the last four digits of their credit cards that were used for payment.
Earlier this month, Harrods, Marks & Spencer and the Co-op Group in the U.K. have seen hackers targeting their online operations. Harrods took proactive steps to keep certain systems safe, including restricting internet access at its sites. “We are really sorry that we’ve not been able to offer you the service you expect from M&S over the last week. We are working day and night to manage the current cyber incident and [to] get things back to normal for you as quickly as possible,” said Stuart Machin, Marks & Spencer’s chief executive officer, adding that stores were open heading into the bank holiday weekend on May 5.
Also in May, Dior confirmed that it was impacted by a data breach involving its Chinese customer base. The LVMH Moët Hennessy Louis Vuitton-owned brand discovered that on May 7, an unauthorized external individual had stolen certain customer data, but not any financial information such as bank account or payment card numbers. “The teams at Dior, supported by leading cybersecurity experts, continue to investigate and respond to the incident,” wrote a Dior spokesperson in an email.
A report from KnowBe4 in March said there is a 56 percent spike in retail cyberattacks driven by phishing and AI. “This puts retail in the top five industries targeted by cybercriminals,” the report said. It noted that the average cost of a single retail data breach “reached $3.48 million in 2024,” representing an 18 percent increase from 2023.
The greatest threat now involves “credential harvesting,” where personal information is stolen. The report said that credential harvesting is now the predominant threat, accounting for 38 percent of all compromised data in 2023, while payment card data theft fell to 25 percent. Stolen credentials are preferred because they provide immediate access to personal accounts, bypassing security measures. Retailers typically keep a record of their customers’ past purchasing information and tracking data on where packages are sent.