Adidas data breach may have exposed personal data of American customers

Adidas shopping bag

Sportswear company Adidas has warned US customers about a security breach that took place earlier this week.

The firm says that on Tuesday it was made aware that "an unauthorized party claims to have acquired limited data associated with certain Adidas consumers". Two days later, the company started to notify its customers that personal data -- including contact information and usernames -- may have been compromised.

See also:

Adidas says that the potential security breach only affects customers who made purchases on adidas.com/US, and stresses that only encrypted account passwords were accessed. It's not clear why the company failed to get in touch with customers as soon as it was made aware of the issue.

A statement on the Adidas website sheds little light on what happened, and makes no hint at the scale of the problem, nor suggests who may be responsible:

Adidas today announced that it is alerting certain consumers who purchased on adidas.com/US about a potential data security incident. On June 26, Adidas became aware that an unauthorized party claims to have acquired limited data associated with certain Adidas consumers.

Adidas is committed to the privacy and security of its consumers' personal data. Adidas immediately began taking steps to determine the scope of the issue and to alert relevant consumers. Adidas is working with leading data security firms and law enforcement authorities to investigate the issue. According to the preliminary investigation, the limited data includes contact information, usernames and encrypted passwords. Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted.

While Adidas continues its thorough forensic review, Adidas is alerting relevant consumers.

Javvad Malik, security advocate at AlienVault, commented on the breach saying:

The Adidas breach highlights two unfortunate trends. Firstly, that the company was apparently made aware of the breach through an unauthorised third party which claimed to have access to its customer details. It reinforces the need to have strong monitoring and threat detection controls in place so that enterprises can detect breaches themselves in a timely manner.

Secondly, without having monitoring controls in place, a company cannot say with certainty whether the claim of a breach is true or not. This leads to any malicious party being able to claim that they have breached a company, even if they haven't, leading to unnecessary activity needing to be undertaken by the company and its customers, not to mention the potential lack of trust this creates.

Asked to comment on the breach, Adidas said: "At this time we have no information to share beyond what is in our statement".

Image credit: 2p2play / Shutterstock

© 1998-2019 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.