Executive Summary

In April 2025, German sportswear giant Adidas fell victim to a cyberattack that compromised customer data through a third-party customer service vendor, making this a textbook supply chain breach. Attackers infiltrated an external customer support provider’s systems and accessed certain consumer information. Crucially, no payment details or passwords were stolen – the exposed data mainly included contact information of customers who had reached out to Adidas’s help desk. Adidas responded quickly by containing the incident, launching an investigation with cybersecurity experts, and notifying affected customers and authorities. This incident underscores the supply chain risks organizations face when entrusting sensitive consumer data to third-party service providers.

Overview of the Incident

Adidas announced that an unauthorized external party obtained customer data by breaching the systems of an unnamed third-party customer service provider. The data accessed mainly consisted of contact information for individuals who had contacted Adidas’s customer service help desk. According to the company, no passwords, credit card numbers, or other financial information were compromised. Adidas has not disclosed how many customers worldwide were affected.

The company promptly contained the incident, launched an investigation with leading cybersecurity experts, and began informing regulators and affected consumers. Officials noted that the third-party’s systems were segmented from Adidas’s core network – a design that likely limited the breach’s impact to the vendor’s data only.

Timeline of Discovery and Response

• Late April 2025: Suspicious activity detected in the third-party vendor’s systems.

• Early May 2025: Regional disclosures begin (e.g., Turkey and South Korea).

• May 23, 2025: Adidas issues a global disclosure confirming a third-party breach.

• Late May 2025: Ongoing incident response and customer notifications.

Attack Vector and Method Analysis

Adidas has not disclosed the technical intrusion method. However, possible vectors include:

• Phishing or Social Engineering: Targeting vendor employees.

• Exploitation of Vulnerabilities: In vendor infrastructure.

• Abuse of Valid Credentials: Stolen or reused passwords for access.

No malware or hacking tools have been identified. The breach likely involved stealthy data exfiltration rather than disruption.

Potential Threat Actor Activity

No specific group has been attributed to this breach. While other attacks on UK retailers in 2025 have been linked to “Scattered Spider,” Adidas’s incident appears unrelated. Authorities continue to investigate.

Implications for Retail and E-Commerce Supply Chains

This breach highlights the critical vulnerabilities third-party vendors introduce to retail organizations. Even when internal systems are secure, external partners can become the weakest link. Regulatory obligations, reputational risks, and operational impacts from such attacks can be substantial.

MITRE ATT&CK Mapping

• T1190: Exploit Public-Facing Application

• T1566: Spear Phishing

• T1078: Valid Accounts

• T1016/T1049: System and Network Discovery

• T1213: Data from Information Repositories

• T1041/T1567: Exfiltration Over Network or Cloud

Actionable Recommendations

Critical

• Revoke or isolate third-party access.

• Launch forensic investigation.

• Notify regulators and affected customers.

• Enhance fraud detection for impacted individuals.

High

• Audit vendor security postures.

• Enforce least-privilege access.

• Update contracts with security clauses.

• Mandate MFA for all vendor interactions.

• Boost phishing awareness and defenses.

Strategic

• Mature third-party risk programs.

• Adopt Zero Trust architecture.

• Run vendor breach tabletop exercises.

• Minimize data shared with vendors.

• Align supply chain governance with regulations.

Rescana’s Expertise in Third-Party & Supply Chain Security

Rescana specializes in identifying and mitigating vulnerabilities in third-party vendor relationships. Our platform autonomously discovers and assesses risks across your entire supply chain, providing continuous monitoring, real-time risk scoring, and AI-driven simulations. In the wake of supply chain breaches like Adidas’s, Rescana helps organizations fortify their defenses, enforce policies, and reduce exposure to third-party risk.

References

• BBC News: https://www.bbc.com/news/technology-68980775

• BleepingComputer: https://www.bleepingcomputer.com/news/security/adidas-says-data-breach-impacted-customer-service-users/

• Reuters: https://www.reuters.com/technology/cybersecurity/adidas-investigates-data-breach-involving-customer-service-partner-2025-05-23/

• CyberPress: https://cyberpress.com/adidas-third-party-breach-supply-chain-analysis

• Computing UK: https://www.computing.co.uk/news/4125671/adidas-data-breach-what-we-know

• PYMNTS.com: https://www.pymnts.com/news/security-and-risk/2025/adidas-probes-data-breach-affecting-customer-service/

• Bitdefender HotForSecurity: https://hotforsecurity.bitdefender.com/blog/adidas-data-leak-third-party-vendor-compromised-2025