Adidas Breach Highlights Growing Risk of Third-Party Cyber Threats in Global Supply Chains

Adidas, the iconic German sportswear brand, is once again under the cybersecurity microscope following a newly disclosed data breach that exposed customer information through a third-party customer service provider. The incident, revealed Friday, underscores the deepening risk that global companies face not from their own infrastructure, but from the extended digital web of service partners embedded in their operations.

In a statement, the company confirmed that “an unauthorized external party obtained certain consumer data through a third-party customer service provider.” While Adidas emphasized that payment information and passwords were not compromised, the attackers did gain access to contact details of customers.

The company has launched a full investigation, brought in cybersecurity experts, and notified the appropriate data protection and law enforcement authorities. Adidas said it is actively informing affected consumers as it works to contain the impact.

Despite the disclosure, Adidas has remained tight-lipped on critical specifics, including the name of the compromised vendor, the number of customers impacted, or whether its own internal systems were accessed during the breach.

This latest incident follows closely on the heels of two other data breaches Adidas disclosed earlier this month, involving customer service centers in Turkey and South Korea. In those cases, the stolen information included names, email addresses, phone numbers, birthdates, and physical addresses—data ripe for phishing and identity fraud.

While the origin of the most recent attack remains unconfirmed, experts are pointing to a familiar vulnerability: third-party risk.

“Although it is unclear who is responsible for the Adidas attack, it has been confirmed that it originated through a third party provider,” said Siân John, chief technology officer at cybersecurity consulting firm NCC Group. “This demonstrates how critical it is for organizations to have oversight of their supplier cyber security posture. Global brands will be at the center of a vast network of third-parties and they are only as strong as their weakest link, so they must collaborate with partners and suppliers to build a robust ecosystem around them.”

John emphasized that today’s organizations must be agile in the face of rapidly evolving threat landscapes.

“Recent large-scale cyber attacks should encourage organizations to reassess their cyber security measures, both in-house and throughout their supply chains. Even if they believe they are secure, with methods of attacks constantly changing, it is key that organizations are agile, and review their measures on a regular basis to adapt to ongoing threats,” she said.

“When it comes to supply chain security specifically, there should be a thorough vetting process at the outset, with regular reviews throughout the relationship to ensure businesses don’t unknowingly leave themselves open to attack.”

This breach also revives memories of Adidas’ 2018 cyber incident, when attackers compromised the personal data of millions of U.S. online shoppers. While no payment data was accessed in that breach either, the attackers walked away with usernames and encrypted passwords—evidence that attackers are playing the long game with stolen identities.

Adidas now joins a growing list of multinational companies hit through vendor-side vulnerabilities, further proving that in today’s hyperconnected digital economy, cybersecurity is only as strong as the farthest link in the supply chain.