Adidas confirms customer data was accessed during cyber attack

Adidas has suffered a data breach that has affected customers who have previously had cause to contact the sportswear brand’s customer service helpdesk.

The company confirmed the incident in a post on its website, dated 23 May 2025, that stated it had recently suffered a data breach after an unauthorised external party obtained “certain consumer data” through a third-party customer service provider used by Adidas.

“We immediately took steps to contain the incident and launched a comprehensive investigation, collaborating with leading information security experts,” said the company statement.

Adidas also confirmed that the affected data does not contain passwords, credit card credentials or any other payment-related information.

“It mainly consists of contact information relating to consumers who had contacted our customer service helpdesk in the past,” the company statement continued.

“Adidas is in the process of informing potentially affected consumers, as well as appropriate data protection and law enforcement authorities consistent with applicable law.”

The company closed out the statement by saying it remains “fully committed to protecting the privacy and security of our consumers” and that it “sincerely regrets any inconvenience or concern caused by this incident”.

Computer Weekly contacted Adidas for further comment on the breach, requesting clarity from the company about the number of customers potentially affected and precise details on when details of the breach first came to light. At the time of writing, no response had been received.

Adidas is the latest household retail brand to fall victim to a cyber attack in recent weeks, with retailers Marks and Spencer (M&S) and Co-op also hitting the headlines recently after their systems were infiltrated by unauthorised third parties.

As previously reported by Computer Weekly, M&S is still in the process of restoring its operations after falling victim to a ransomware attack that is estimated will cost the firm £300m.

News of the incident first broke in late April 2025, and M&S recently confirmed that it might take until July 2025 for its systems to fully recover.

Just over a week later, on 30 April 2025, Co-op revealed it had proactively taken systems offline following a series of hacking attempts. 

While it remains unclear at this time if the Adidas attack is linked, the recent wave of cyber attacks against British retailers prompted the National Cyber Security Centre (NCSC) to issue an alert at the start of May, warning other retailers that they could be targeted too.

“The disruption caused by the recent incidents impacting the retail sector is naturally a cause for concern to those businesses affected, their customers and the public,” said NCSC CEO Richard Horne, in a statement published on 2 May 2025.

“The NCSC continues to work closely with organisations that have reported incidents to us to fully understand the nature of these attacks and to provide expert advice to the wider sector based on the threat picture,” he added.

“These incidents should act as a wake-up call to all organisations. I urge leaders to follow the advice on the NCSC website to ensure they have appropriate measures in place to help prevent attacks and respond and recover effectively.”