Sportswear giant Adidas has reported a data breach following a cyberattack on one of its customer service providers, which resulted in the theft of certain customer data.
“Adidas recently became aware that an unauthorized external party obtained certain consumer data through a third-party customer service provider. We immediately took steps to contain the incident and launched a comprehensive investigation, collaborating with leading information security experts,” the company said in a statement.
The company said the affected data contains no passwords, credit card or any other payment-related information. “It mainly consists of contact information relating to consumers who had contacted our customer service help desk in the past.”
Adidas said it is in the process of informing potentially affected consumers, as well as appropriate data protection and law enforcement authorities, consistent with applicable law.
“We remain fully committed to protecting the privacy and security of our consumers, and sincerely regret any inconvenience or concern caused by this incident.”
It has yet to reveal further details regarding this incident, including the name of the impacted service provider, when the incident was detected, how many individuals were affected, and if its own network was compromised during the attack.
Quality Gates, DLP
Jonathan Stross, SAP Security Analyst at Pathlock, says the breach highlights the importance of establishing quality gates and data loss prevention for third-party software. “While the company’s developments are being secured through agile processes and code reviews, third-party software tends to be blindly trusted.”
Stross says fFor all code changes, regardless of origin, testing and validating adherence to up-to-date security standards is mandatory, even in cases where a third party can be held accountable. “Additionally, third-party software often lacks the reporting API’s and capabilities to alert or block certain access when an unusually high amount of traffic is being generated, which can indicate a data export.”
Industry Blind Spots
While Adidas’ doesn’t offer a vendor name, but it exposes an industry blind spot, which is a call-center exhaust, adds Jason Soroko, Senior Fellow at Sectigo. “Attackers didn’t chase card data, but they siphoned the valuable commodity inside ticket logs, verified emails, phone numbers, shipping addresses, and conversational snippets that reset security questions in downstream systems. Because many global retailers funnel multiple brands through the same BPO platforms, one breach seeds cross brand credential stuffing and warranty fraud campaigns at scale.”
Under the EU’s NIS2 supply-chain clauses taking effect later this year, Soroko says Adidas must prove it had vendor controls for data minimization and tokenization and not just PCI segregation. “Regulators will ask why PII records were still sitting in a provider’s CRM years after ‘the last sneaker return’. Treat customer service transcripts as high risk assets and isolate them with zero-trust segmentation before the next attacker does.”
Managing Access
Fletcher Davis, Senior Security Research Manager at BeyondTrust says third-party breaches swiftly become your organization’s breaches, which highlights the necessity of robust oversight mechanisms. “Mandating security assessments, multi-factor authentication, and zero-trust architecture for all vendor access, while deploying real-time identity infrastructure monitoring to cut response times to minutes, as opposed to days.”
Organizations must stop only controlling who has access, and must strictly managing how and where access is granted, Davis adds. “Deploying conditional access policies that restrict credentials to specific IP ranges or predefined systems can dramatically minimize exposure. Comprehensive visibility into all privileged identities, human and non-human, should be the norm, enabling proactive identification of overprivileged and hidden vulnerabilities before exploitation occurs.”
Practice Good Cybersecurity Hygiene
“While the breach didn’t expose customers’ Social Security numbers or any payment information, the contact information that was exposed could be used by the bad actors of the world to phish for additional information, like banking or credit card info,” says Chris Hauk, Consumer Privacy Advocate at Pixel Privacy.
Affected customers (and all users in general) need to stay alert for possible phishing emails and text, and should never click on links or open attachments in any unsolicited messages, Hau, adds. “Customers should also take advantage of any credit monitoring services that Adidas might offer to provide further protection against the bad guys.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.