As major corporations increasingly rely on third-party vendors to manage customer operations, German athletic apparel giant Adidas revealed the inherent risks of this approach when it disclosed a significant data breach on May 23, 2025. The breach originated not from Adidas’s internal systems, but through a third-party customer service provider that maintained consumer data for the company’s help desk operations.
The compromised information included customer names, birthdates, phone numbers, and email addresses belonging to individuals who contacted Adidas customer service through 2024. Company officials confirmed that passwords, credentials, payment details, and credit card information remained secure throughout the incident. The company implemented DMARC protocols to prevent potential email spoofing attacks using the stolen customer data.
Nevertheless, security experts highlighted the value of the exposed data to malicious actors seeking to exploit customer information. Ryan Sherstobitoff, Senior Vice President at SecurityScorecard, warned that stolen contact information remains highly valuable for threat actors in spite of lacking financial details. The exposed data could facilitate identity theft schemes, phishing campaigns, and fraudulent activities targeting affected customers, according to security assessments.
Contact information remains highly valuable to threat actors for identity theft schemes, phishing campaigns, and fraudulent activities targeting affected customers.
Initial breach notifications reached customers in South Korea and Turkey approximately one week before Adidas’s public disclosure. The company has not confirmed whether customers in the United States and European Union were affected, though the geographic scope appears international based on disclosure patterns.
Adidas has not revealed the total number of affected customers. Upon identifying the breach, Adidas implemented immediate containment measures and launched a thorough investigation with leading information security experts. The company notified appropriate data protection authorities and law enforcement agencies in accordance with applicable laws. Adidas emphasized its commitment to maintaining transparency in communication while adhering to all relevant data protection regulations.
Media outlets received confirmation of the incident on May 27-28, 2025, though Adidas has not disclosed when the breach was initially detected. The incident highlights ongoing vulnerabilities associated with third-party vendor security, a persistent challenge for major corporations managing customer data across multiple platforms. This breach follows a pattern of recent retail sector cyberattacks affecting major brands including Co-op Group and Marks & Spencer.
Adidas reiterated its commitment to protecting customer privacy and security as it directly contacted affected consumers. Security experts recommend that customers who contacted Adidas customer service remain vigilant for suspicious communications and monitor personal accounts for unusual activity, particularly potential phishing attempts leveraging the compromised information.
