Adidas, the second largest sportswear manufacturer in the world, said last week that millions of its customers may have had their data compromised as the result of a data security incident.
The company said in a brief announcement on its site that it believes customers' contact information, usernames, and encrypted passwords may have been leaked as a result of a compromise.
The company, which is headquartered in Herzogenaurach, Germany, said it learned earlier last week, June 26 that an "unauthorized party" claimed to have accessed data on consumers.
The press release is slim on details, even by data breach disclosure standards.
It’s unclear whether a white hat researcher informed the company as a gesture of goodwill or if a hacker operating with malicious intent stumbled upon the data. It's also uncertain exactly how many customers - all of its US customers, or just a portion - may be impacted by the incident.
The incident appears to only affect customers of Adidas' US website. The company operates dozens of web stores, including sites for nations in Asia, Europe, and Africa. The company's foreign web stores and Reebok's - another sportswear company owned by Adidas - web store were not listed as affected.
The company hinted Thursday the number of victims is in the millions.
|
whitepaper How to Protect Unstructured Sensitive Data |
“We are alerting certain consumers who purchased on adidas.com/US about a potential data security incident. At this time this is a few million consumers,” a spokeswoman for the company told Bloomberg via email on Thursday.
Adidas must have had its customer data segmented - or at least siloed off; it said it doesn't believe that user credit card or fitness information was impacted by the incident.
While the fact user passwords were encrypted suggests the company was following best practices, it’s likely the incident could have been addressed at its root through a combination of security controls, monitoring, and threat detection capabilities. Without visibility into its data, companies can encounter difficulty visualizing where its going and ultimately, when its been breached.
It's the second breach to hit a fitness apparel company in the last several months. In March Under Armour announced that MyFitnessPal, a nutrition app it acquired in 2015, had been breached to the tune of users' usernames, email addresses, and hashed passwords.
