Adidas confirms criminals stole data from customer service provider

Adidas is warning customers some of their data was stolen after an “unauthorized” person lifted it from a “third-party customer service provider.”

The sportswear giant said the affected data “mainly consists of contact information relating to consumers who had contacted our customer service help desk in the past.” It did not reveal any time frame beyond the phrase “in the past.”

The Register asked the German sportswear brand for a list of the exact data points involved and for an idea of how many people might be affected, and when they would have submitted their data, but it declined to provide any further details.

It did, however, claim that customers’ most sensitive information wasn’t impacted. 

Adidas said: “The affected data does not contain passwords, credit card, or any other payment-related information.”

To get started with Adidas’ online customer support, the minimum data points a customer must enter includes their first and last names, and email addresses, along with an optional entry of their order number, which may offer some indication as to what info was swiped.

The company said on May 23 that it is in the process of alerting customers who may be impacted by the intrusion, as well as all the relevant data protection and law enforcement authorities.

“We immediately took steps to contain the incident and launched a comprehensive investigation, collaborating with leading information security experts,” the statement read.

“We remain fully committed to protecting the privacy and security of our consumers, and sincerely regret any inconvenience or concern caused by this incident,” it went on to say.

The data break-in follows a similar one at Coinbase, disclosed earlier this month. Both are connected in that help desk staff were blamed for the attack, although the crypto company’s case looks to be far more impactful, based on current information.

Coinbase said overseas support staff, who have since been fired, handed over large amounts of customer info and “limited” corporate data, according to last week’s regulatory filing.

The same document stated that around 70,000 users were affected, with basic personal data as well as ID document photos, partial SSNs, masked bank account numbers, Coinbase transaction histories, and more stolen.

Adidas grapples with $1.3B in unsold Yeezy sneakers after breaking up with Kanye West

RISE with AWS? Adidas migrates SAP S/4 HANA to the fluffy white stuff, snubs SAP’s lift-and-shift programme

Adidas now stands for All Day I’m Disconnecting All Servers as owners of ‘smart’ Libra scales furious over bricked kit

Adidas US breach may have exposed millions of customers’ personal info

Even though Adidas’ copied data doesn’t appear to be as extensive as the amount taken from Coinbase, it would certainly be enough for a criminal to craft a reasonably convincing order-related phishing email to the customer (“Enter payment info here?”).

Even though Adidas itself didn’t mention the possibility of follow-on phishing attacks in its statement, experts warn that customers should be wary of any potential attempts from criminals to exploit them.

Javvad Malik, lead security awareness advocate at KnowBe4, said: “While payment data wasn’t compromised, the theft of personal contact details poses risks for potential phishing or other social engineering attacks, so affected customers will need to be vigilant for any communications which appear to originate from Adidas.” ®