Sportswear giant Adidas has confirmed a data breach that exposed customer information stored by a third-party service provider. While the company insists no passwords or payment details were compromised, the incident still poses serious risks for affected individuals.
What Was Stolen
According to Adidas, hackers accessed “certain consumer data,” mainly contact information for people who had contacted their help desk. The firm stated that no financial data or login credentials were taken. But that doesn’t mean consumers are safe.
Contact data, such as names, email addresses, and phone numbers, provides fraudsters with enough information to carry out a wide range of scams. Once attackers gain a foothold, even through limited data, they can use it to engineer trust, manipulate targets, and launch follow-up attacks.
Personal contact information may seem harmless in isolation. However, to fraudsters, it serves as a gateway to a wide variety of scams. They use this data to create convincing phishing emails, spoofed text messages, and fraudulent calls. Victims are more likely to fall for these scams if they recently contacted Adidas and expect further communication. That gives attackers the perfect cover.
Fraudsters may impersonate Adidas, claiming to offer account support or refunds. They might use phone numbers to register fake accounts or target consumers with malware through malicious links. In some cases, stolen emails end up in broader criminal marketplaces. They are sold to others for use in identity theft scams or phishing campaigns.
Growing Threats
The Adidas breach follows a wave of recent cyberattacks on UK retailers. Marks & Spencer and the Co-op were also targeted, with the M&S hack causing operational disruptions and a projected cost of £300 million. Adidas confirmed that no similar operational impact has occurred in their case. Still, this breach adds to growing concerns about the security of customer data in the retail industry.
Recent reports state that police are investigating whether a group known as Scattered Spider may be responsible for some of these attacks. Although there is currently no evidence linking this group to the Adidas breach, their past attacks on brands like Harrods and M&S have been highly disruptive. This is not Adidas’ first data security issue in 2025. The company previously reported breaches in Turkey and South Korea, raising further concerns about its global cybersecurity posture.
Adidas’ Response
Adidas states that it acted promptly to contain the breach once it became aware. It launched an investigation and brought in external cybersecurity experts to support the response. The company is now notifying affected customers and has informed data protection authorities. In a statement, Adidas said it “remains fully committed to protecting the privacy and security of our consumers and sincerely regrets any inconvenience or concern caused by this incident.”
Consumer rights group Which? urged Adidas to keep shoppers informed and proactive in supporting them. Lisa Barber, from Which? warned customers to remain vigilant against follow-up scams. She advised monitoring bank statements and credit reports and being cautious of unexpected contact by email, text, or social media.
What You Should Do Now
Even if financial data wasn’t stolen, customers should act. Here’s what security experts recommend:
- Be cautious of any emails or calls claiming to be from Adidas. Don’t click on links or provide details unless you can verify the source.
- Enable two-factor authentication on all key accounts. This adds an extra layer of protection.
- Monitor your credit report. Services like Experian or Equifax allow you to check for unusual activity.
- Look out for personalised phishing scams. These may refer to your recent contact with Adidas.
- Report anything suspicious. If you suspect fraud, report it to Action Fraud as soon as possible.
A Wake-Up Call
This breach highlights the importance of robust data protection strategies, not just at the corporate level but across all third-party partners. Retailers must improve their vendor management processes. They must ensure third-party platforms follow the same security standards as the main brand. Too often, hackers exploit the weakest link — and it’s frequently outside the company’s direct control.
As cyberattacks become more frequent and more sophisticated, contact information is no longer a “low-risk” category. It is a tool. And when it falls into the wrong hands, it becomes the first step in a wider, more damaging fraud strategy. Adidas may have avoided a worst-case scenario, but the breach remains serious nonetheless. Contact details are not harmless. They are a key weapon in a fraudster’s arsenal.
We must stop viewing data breaches as minor unless passwords or payment details are involved. Every breach is a threat multiplier. It opens the door to further scams, deeper fraud, and long-term harm. Retailers must treat every data leak seriously — and so must the public. Because, in today’s threat landscape, even a name and a phone number are enough to initiate other scams.
