The Most Comprehensive Data Protection Solution
Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.
First and Only Solution to Converge:
- Data Loss Prevention
- Endpoint Detection and Response
- User and Entity Behavior Analytics
The sporting goods company Adidas said late last week its US e-commerce site fell victim to a data security incident, spilling user emails, encrypted passwords and usernames.
Adidas, the second largest sportswear manufacturer in the world, said last week that millions of its customers may have had their data compromised as the result of a data security incident.
The company said in a brief announcement on its site that it believes customers' contact information, usernames, and encrypted passwords may have been leaked as a result of a compromise.
The company, which is headquartered in Herzogenaurach, Germany, said it learned earlier last week, June 26 that an "unauthorized party" claimed to have accessed data on consumers.
The press release is slim on details, even by data breach disclosure standards.
It’s unclear whether a white hat researcher informed the company as a gesture of goodwill or if a hacker operating with malicious intent stumbled upon the data. It's also uncertain exactly how many customers - all of its US customers, or just a portion - may be impacted by the incident.
The incident appears to only affect customers of Adidas' US website. The company operates dozens of web stores, including sites for nations in Asia, Europe, and Africa. The company's foreign web stores and Reebok's - another sportswear company owned by Adidas - web store were not listed as affected.
The company hinted Thursday the number of victims is in the millions.
How to Protect Unstructured Sensitive Data
“We are alerting certain consumers who purchased on adidas.com/US about a potential data security incident. At this time this is a few million consumers,” a spokeswoman for the company told Bloomberg via email on Thursday.
Adidas must have had its customer data segmented - or at least siloed off; it said it doesn't believe that user credit card or fitness information was impacted by the incident.
While the fact user passwords were encrypted suggests the company was following best practices, it’s likely the incident could have been addressed at its root through a combination of security controls, monitoring, and threat detection capabilities. Without visibility into its data, companies can encounter difficulty visualizing where its going and ultimately, when its been breached.
It's the second breach to hit a fitness apparel company in the last several months. In March Under Armour announced that MyFitnessPal, a nutrition app it acquired in 2015, had been breached to the tune of users' usernames, email addresses, and hashed passwords.