We often hear the news of a cyberattack in large and established companies, like Microsoft, Google and even major financial institutions. Now, Adidas, the largest sports apparel company in the world, has become the victim of a cyberattack. This cyberattack discloses their weakness in maintaining the network.
Adidas disclosed that the cyber criminals had collected certain consumer data, including contact details of the people who had contacted its help desk. Although passwords, credit cards and other payment details have not been compromised.
Cyberattack on Adidas
On May 23, Adidas published a report on its website on the topic of data security information. In this report, they have revealed that their customer data has been accessed by an unauthorised external party. This external party has collected data through a third-party customer service provider and accessed the contact information of the customers who had previously interacted with the help desk.
Adidas said that, “We remain fully committed to protecting the privacy and security of our consumers, and sincerely regret any inconvenience or concern caused by this incident.” However, they ensure their customers by saying that none of the sensitive data, like the credit card details, passwords to their accounts and other payment information, is safe with the company, and they are not compromised.
However, Adidas instantly responded to the cyberattacks by launching a thorough investigation of the attack. The collaboration with the cybersecurity experts allows them to save the sensitive data. The company is committed to providing clear and timely updates about the condition of the customer data.
The authority of the sportswear company informed that, “Adidas is in the process of informing potentially affected consumers as well as appropriate data protection and law enforcement authorities consistent with applicable law.”
However, the consumer advocacy group, Which? expressed concerns about the customer’s data that have been stolen. Lisa Barber, from this group, has said that “Adidas customers will understandably be worried that their personal data has fallen into the hands of hackers who might try to exploit it, so it is vital that Adidas provides clear and timely updates to affected shoppers and supports them in taking steps to protect themselves.”
🚨 Adidas recently disclosed a cyber attack where customer data, including names, emails, and phone numbers, was stolen via a third-party provider. This breach highlights the growing risks of third-party vulnerabilities in today’s digital landscape.
— Secria (@SecriaMe) May 27, 2025
1/3 pic.twitter.com/apFvRV4JOz
Past cyberattacks on Adidas
November 2011
In November 2011, millions of data points of the customers of Adidas were stolen through a cyberattack. Several websites of the company, including adidas.com, adidasgroup.com, and reebok.com, were shut down. During that period, the hackers claimed that they had stolen 500,000 data that included emails, plain-text passwords and addresses.
In a statement, the company said, “Nothing is more important to us than the privacy and security of our consumers’ personal data. We appreciate your understanding and patience during this time.”
June 2018
During the month of June 2018, Adidas faced another cyberattack that affected its US website. Adidas spotted that an unauthorised party had accessed the US website and stolen some sensitive information of the customers. The sensitive data included contact information, encrypted passwords and usernames of millions of users of the company in the US.
The breach was detected by the company on 26 June, and they confirmed the breach on 28 June. The company stated that, “According to the preliminary investigation, the limited data includes contact information, usernames and encrypted passwords. Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted.”
April 2025
Since April 2025, there are several cyberattack links have been found by cybersecurity experts. The UK police have investigated that a cybercrime group of English-speaking hackers have been attacking companies. Scattered Spider is their group name. This group has been found to have a link in cyberattacks on M&S, Co-op and Harrods. Hence, the police have been thinking that they might have a link to the attack on Adidas and steal their data from April 2025.
M&S has faced £300 million losses because of a cyberattack from this group. Although Adidas does not losses that huge amounts of customers, there is a chance that after the data loss in May 2025, the group might again plan to attack the company and steal their data.
Scatter Spider Group
The Scatter Spider Group is a highly skilled and native English-speaking group of people within a cybercriminal group. It has been believed that the group primarily operates across North America and Europe. They use advanced social engineering methods and phishing campaigns to steal data.
This group is not like another traditional group of cybercriminals to do ransomware attacks. They directly target the cloud infrastructure and exploit human weaknesses within companies.
However, in the last year, the US Department of Justice has found that the group sent fake tests to the employees of an organisation and tricked them into providing confidential data. Consequently, they get access to people’s intellectual properties and also digital wallets.
The group has targeted major organisations like MGM Resorts, Caesars Entertainment, Marks & Spencer and Co-op. From these attacks, a pattern has been observed that the group infiltrates the system by using phishing emails, impersonating employees or IT staff and fake helpdesk calls. The group efficiently plan every attack and coordinates the group so that sensitive data can be explored.
What is the purpose of this group? Well, it has been found that the main goal of the Scatter Spider Group is the financial gain through ransomware attacks and extortion. They are targeting high-profile companies like Marks & Spencer, MGM Resorts and now Adidas. They use a double-extortion model to ensure that if the company restore their data without paying, the threat of revealing the stolen data remains high.
Although Adidas did not reveal any data about which third-party service provider was used to attack the company, there is a high chance that the Scatter Spider Group might have a link to the cyberattack. Adidas needs to strengthen its system.
Why do cyberattacks happen more often?
In recent years, the number of cyberattacks has become common, and there are several key reasons behind this. In the year 2024, the IoT malware attacks have risen by 107%, showcasing their vulnerabilities to companies. Each data breach costs around $4.4 million. The frequency of data breaches increased by 72% between the year 2021 and 2023. The total number of data breaches between these two years amounted to 3,122.
However, one of the main reasons for the growing frequency of cyberattacks on companies like Adidas is the rapid advancement of technology. Adidas use technologies like Generative AI, Augmented Reality (AR), Virtual Reality (VR), IoT and advanced personalisations. These cutting-edge technologies allow Adidas to stay competitive. A small indifference towards cybersecurity can create vulnerabilities through which hackers can quickly exploit, as happened recently at Adidas.
The profitability of cybercrime can be highlighted as another reason. Many cyber criminals sold the personal data of people, like names, emails and login credentials, to the dark web at a high price. Sometimes hackers use ransomware to steal all the personal data of customers and demand huge sums of money from the companies. Hence, the customers of Adidas need to be careful in sharing their information, as this kind of activity can exploit their lives.