On May 23rd, 2025, athletic apparel company Adidas published a notice disclosing a data breach originating from a cyberattack targeting a third-party customer service provider. The disclosure discusses limited information regarding the source of the breach, the corporation’s response and remediation, the nature of the compromised data, and what to expect moving forward.
Details of the Breach
The data that was compromised as a result of this attack on a third-party service primarily consists of contact information for consumers who had previously contacted the customer service help desk. It does not include passwords, credit card numbers, or any other financial or credential data. The notice does not specify the identity of the third-party customer service vendor or the timeline of the breach, but promises full commitment to the privacy and security of customers.
“Adidas’ press note does not offer a vendor name, but it exposes an industry blind spot, which is call-center exhaust,” says Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM). “Attackers didn’t chase card data, but they siphoned the valuable commodity inside ticket logs-verified emails, phone numbers, shipping addresses, and conversational snippets that reset security questions in downstream systems.” This tactic, while not as directly harmful as stealing financial or credential information, is favored by many cybercriminals for a number of reasons.
Third-Party Risk in the Digital Supply Chain
With increasingly complex and interconnected digital supply chains, attacks and breaches occurring through third-party partners and relationships are on the rise. When digital systems are so deeply entangled, it creates issues of oversight and responsibility, leading to gaps in security. Organizations often lack full visibility into their third-party connections that could serve as potential avenues of attack, hindering attempts at proper management and security of those connections.
Many high-profile incidents have occurred through similar vectors in recent years, including the 2024 Midnight Blizzard attack against Microsoft, the 2023 AT&T vendor breach, and the 2022 LastPass data breach. Corporations of all sizes and across all sectors struggle to effectively secure their third-party relationships through proper oversight and management of third-party risks.
Adidas’s Response and Next Steps
Adidas released the disclosure announcement with limited information about the breach, stating that the corporation “is in the process of informing” customers whose data may have been compromised in the attack and relevant data protection and law enforcement organizations. They also took immediate steps to contain the incident and carry out a comprehensive investigation into the breach with the collaboration of information security experts. The public-facing notice assures that Adidas is dedicated to ensuring customer information is private and secure. Updates on the progress of the investigation are pending.
What Consumers and Companies Should Do
Customers whose information may have been affected by this breach should keep an eye out for a private notice from Adidas about the attack. Acting to mitigate the potential exposure of personal information and taking precautions against future data breaches is crucial. This breach is part of an overwhelming trend in corporate vendor risk management, one which organizations must respond to by securing their supply chains and establishing robust security strategies. Transparency and rapid response to security incidents are crucial to mitigate damage and maintain consumer and partner trust.
Organizations should also implement measures to contain attacks and ensure security and resilience. “Deploying conditional access policies that restrict credentials to specific IP ranges or predefined systems can dramatically minimize exposure,” says Fletcher Davis, Senior Security Research Manager at BeyondTrust. “Comprehensive visibility into all privileged identities, human and non-human, should be the norm, enabling proactive identification of overprivileged and hidden vulnerabilities before exploitation occurs.”
Looking Ahead
Far from being an isolated incident, this Adidas breach is but one attack in a spate of breaches that have occurred via third-party organizations. Digital supply chains are extremely complex and interconnected, making it difficult to establish clear lines of governance, responsibility, and accountability. It is vital for organizations to implement stricter third-party risk frameworks in consumer-facing industries to protect against the dangers of attacks like this.
