Adidas faces renewed scrutiny as cybercriminals claim theft of personal data through a compromised licensing partner, raising GDPR and CCPA compliance concerns amid a pattern of third-party security failures.
Adidas has launched an investigation into a data breach at an independent licensing partner after cybercriminals claimed to have stolen sensitive customer information from the sportswear giant's systems. The breach marks the second third-party security incident involving Adidas in less than a year, highlighting persistent vulnerabilities in the company's supply chain security.
The breach occurred at an unnamed martial arts product distributor that operates as an independent entity with separate IT infrastructure. According to posts on hacking forum BreachForums by individuals claiming affiliation with the Lapsus$ Group, attackers accessed Adidas' extranet and exfiltrated 815,000 records containing:
- Full names
- Email addresses
- Passwords (potentially hashed)
- Dates of birth
- Company affiliations
- Technical infrastructure data
While Adidas confirmed no compromise of its internal systems or consumer-facing e-commerce platforms, the incident exposes significant regulatory risks under both European and California data protection frameworks. Under GDPR Article 28, companies remain legally responsible for ensuring third-party processors implement adequate security measures. Failure to conduct proper due diligence could trigger fines up to 4% of global annual revenue (approximately €468 million based on Adidas' 2025 earnings). For affected California residents, CCPA violations carry penalties of $750 per intentional violation.
For consumers, the exposed data creates tangible risks:
- Credential Stuffing Attacks: Compromised email-password combinations could be used to hijack accounts on other platforms
- Targeted Phishing: Birthdates and company affiliations enable highly personalized scam campaigns
- Identity Theft: Sufficient PII exists to attempt financial fraud
The breach follows Adidas' May 2025 incident where another third-party customer service provider leaked customer data. This pattern suggests inadequate vendor risk management despite previous warnings. Security analysts note the attacker group—now operating as Scattered Lapsus$ Hunters—represents an evolved threat combining Lapsus$' social engineering tactics with ShinyHunters' data scraping techniques.
Adidas faces critical next steps:
- Conduct forensic audit of the licensing partner's security controls
- Notify affected individuals per GDPR's 72-hour requirement
- Implement vendor security certification programs
- Potentially face class-action lawsuits from impacted EU/US consumers
The recurrence of third-party breaches underscores how supply chain vulnerabilities undermine corporate accountability. As regulatory bodies increase scrutiny of vendor management practices, companies must treat partner security as an extension of their own infrastructure—not an outsourced responsibility.
Adidas Privacy Statement GDPR Third-Party Processor Requirements CCPA Enforcement Cases
Comments
Please log in or register to join the discussion