Adidas has confirmed it is investigating a cyberattack that saw customer data accessed through an undisclosed third-party provider, in the latest blow to the retail sector’s already embattled cybersecurity defences.
The German sportswear brand said the breach occurred in the US and involved limited consumer data — with no financial or fitness information compromised. However, the incident places further scrutiny on retailers’ reliance on complex digital ecosystems, as attacks on supply chain partners increasingly serve as back doors to customer information.
The company has begun contacting affected customers, though has not disclosed how many individuals are impacted. The breach follows a wave of cyber incidents across the retail landscape, including attacks on WHSmith, JD Sports, and The Works in the UK alone over the past year.
Security experts say the scale and sophistication of attacks are evolving rapidly, especially with the integration of artificial intelligence into attackers’ arsenals.
“Attackers are evolving fast, using AI to supercharge phishing campaigns, automate exploits, and evade detection with alarming precision,” said Nadir Izrael, Co-Founder and CTO at Armis. “In this environment, traditional defences simply cannot keep up. Legacy point products and siloed security solutions are putting security teams on the back foot, leaving them not only open to vulnerability exploits, but also forcing them into a reactive stance — addressing breaches only after the damage is done.”
The stakes are particularly high in retail, where operational continuity, trust, and brand reputation are tightly intertwined. Commenting on the wider implications, Andy Norton, European Cyber Risk Officer at Armis, warned: “These incidents highlight the increasingly high stakes in retail — a sector where even brief disruptions can lead to empty shelves, trigger panic buying, and cause wider supply chain issues. With sprawling digital supply chains, high volumes of customer data, and the need for always-on operations, retailers have become prime targets. In fact, 41% of retailers have seen an increase in threat activity over the last six months — and these threat actors will not be slowing down anytime soon.”
The Adidas breach underscores a growing trend of indirect attacks — where the target organisation is compromised through vendors, partners, or other supply chain channels. As retailers expand digital capabilities, they must also rethink how security responsibilities are shared and monitored across third parties.
Analysts say businesses need to shift from reactive to proactive postures, including cyber hygiene education, continuous risk monitoring, and more integrated security strategies.
Adidas has not yet confirmed whether it has involved US regulators or law enforcement, though affected users are being notified individually. The firm said it is working to “determine the full scope of the incident and take appropriate steps to address it”.
In light of recent retail cyberattacks, the BQ team has spoken with experts to develop a retail cyber resilience playbook. Read our full analysis and download the report at Business Quarter Executive on Substack.
