Adidas Confirms Data Breach Impacting Customers Who Interacted with Help Desk in Turkiye

• A new batch of intrusion messages was sent to Adidas customers in Turkiye on Friday.
• The company informed its clients that their personal details were exposed due to a third-party service provider.
• The first announcement of this kind occurred one week earlier and was targeting buyers in Korea.

German sportswear giant Adidas has disclosed a data breach involving unauthorized access to consumer data. According to a company statement released on May 23, an external actor obtained client information held by a third-party customer service provider. 

While Adidas clarified that passwords and credit card data were not compromised, the breached information primarily consists of contact details from consumers who had engaged with the brand’s help desk, so exposed details may include personal contact information.

Customers of Adidas Turkiye received an email announcing that full names, phone numbers, dates of birth, gender details, and email addresses were exposed. A similar message was sent to clients in Korea on 16 May.

The company did not disclose the number of affected customers but announced their immediate response measures included isolating the impacted systems and engaging leading information security experts to coordinate a comprehensive investigation. 

Adidas emphasized its proactive stance, noting that they are currently informing affected consumers directly to ensure transparency and mitigation against potential misuse.

Commenting on the data, Jason Soroko, Senior Fellow at Sectigo said, "Attackers didn’t chase card data, but they siphoned the valuable commodity inside ticket logs-verified emails, phone numbers, shipping addresses, and conversational snippets that reset security questions in downstream systems." 

Soroko further added, "Treat customer service transcripts as high-risk assets and isolate them with zero-trust segmentation before the next attacker does."

For Adidas, reputational risk management also comes into play. While the absence of leaked passwords and payment data lessens immediate financial exposure, contact information alone may serve as a precursor to social engineering attempts or phishing campaigns. 

This places even greater emphasis on consumer education around recognizing and reporting suspicious communications.

Addressing the concerns arising from the data exposure, Fletcher Davis, Senior Security Research Manager at BeyondTrust, said, "Comprehensive visibility into all privileged identities, human and non-human, should be the norm, enabling proactive identification of overprivileged and hidden vulnerabilities before exploitation occurs."

The Adidas data breach once again highlights the need for resilient, end-to-end data security strategies in organizations reliant on third-party services. Transparency and swift action remain paramount in protecting both brand integrity and consumer trust in an increasingly complex threat environment.

Jonathan Stross, SAP Security Analyst at Pathlock, suggested vigilance on the part of impacted users by saying, "Affected customers should watch out for unsolicited messages, spam, and in general, unusual traffic. Attackers may use this to launch phishing attempts. Even though financial data wasn’t leaked, contact information can still be used for identity fraud."

This story has been updated with statements and insights from cybersecurity experts.