German sportswear giant Adidas has confirmed a significant data breach involving customer contact information accessed through a compromised third-party customer service provider.
The incident, disclosed on May 23, 2025, exposed contact details of consumers who had previously interacted with the company’s customer service help desk, though the breach did not compromise passwords, credit card data, or other payment-related information.
This breach exemplifies the growing cybersecurity challenges facing major retailers. According to Verizon’s 2025 Data Breach Investigations Report, third-party breaches now account for 30% of all data incidents, representing a doubling from 15% the previous year.
.png
)
Data Breach Via Third-Party Customer Service Provider
The unauthorized external party accessed consumer data through vulnerabilities in Adidas’ third-party customer service provider infrastructure.
The notice states that the compromised data primarily consisted of contact information for customers who had previously contacted the company’s customer service help desk.
The company has initiated the process of informing potentially affected consumers and the appropriate data protection authorities of the applicable regulations.
This incident reflects a broader epidemic affecting the retail sector. Adidas joins a growing list of compromised organizations, including Marks & Spencer, Harrods, Co-Op, and Dior, all of which have experienced similar breaches in recent months.
Third-party data breaches occur when malicious actors compromise vendors, suppliers, or contractors to gain access to their clients’ sensitive information.
These supply chain attacks have become the preferred method for threat actors, with 62% of network intrusions now originating from third-party sources.
The financial impact of third-party breaches exceeds that of direct breaches, with costs increasing 5% above average due to reputational damage and business disruption.
Small subcontractors and service providers represent attractive targets for cybercriminals seeking to bypass the robust cybersecurity defenses of larger organizations.
Consumer Protection Measures
The breach triggers multiple compliance obligations under data protection frameworks, including GDPR and national breach notification statutes.
Organizations must implement comprehensive third-party risk management (TPRM) programs that incorporate vendor security assessments, multi-factor authentication (MFA), and zero-trust architectures.
Data Security Posture Management (DSPM) solutions provide enhanced visibility into vendor access permissions and can proactively identify potential vulnerabilities before exploitation.
Encryption at rest protocols, as outlined in Azure security frameworks, ensure that even if data is accessed, it remains protected through symmetric encryption using AES256 keys within hierarchical key management systems.
The incident underscores the critical importance of implementing envelope encryption methodologies and maintaining strict access controls across all third-party integrations to minimize exposure risks.
Try in-depth sandbox malware analysis for your SOC team. Get ANY.RUN special offer only until May 31 -> Try Here
