Adidas Investigates Alleged Data Breach Involving 815,000 Customer Records
Adidas is currently investigating claims of a significant data breach after a cybercriminal group, operating under the alias LAPSUS-GROUP, alleged unauthorized access to the company’s extranet portal. The group claims to have exfiltrated approximately 815,000 records containing sensitive customer information.
Details of the Alleged Breach
On February 16, 2026, LAPSUS-GROUP posted on BreachForums, asserting they had infiltrated Adidas’s extranet—a restricted web-based portal used by authorized business partners, suppliers, and retailers. The purportedly stolen data includes:
– First and last names
– Email addresses
– Passwords
– Birthdates
– Company information
– Technical data
The group also hinted at possessing an additional 420GB of Adidas-related data specific to the French market, suggesting further disclosures may be forthcoming.
Adidas’s Response
In response to these allegations, an Adidas spokesperson stated:
We have been made aware of a potential data protection incident at one of our independent licensing partners and distributor for martial arts products. This is an independent company with its own IT systems.
The company emphasized that there is no indication that Adidas’s internal IT infrastructure, e-commerce platforms, or consumer data have been affected by this incident.
Context and Previous Incidents
This incident follows a similar breach disclosed in May 2025, where unauthorized access to a third-party customer service provider exposed contact details of customers who had previously reached out to Adidas’s helpdesk. In that case, no passwords or financial data were compromised.
The recurrence of third-party breaches underscores the challenges companies face in securing their supply chains and managing vendor access.
Industry Implications
The Adidas incident is part of a broader trend of cyberattacks targeting major retailers through third-party vendors. For instance, in May 2025, UK retail giants Marks & Spencer, Co-op, and Harrods suffered breaches linked to third-party service providers. These incidents highlight the vulnerabilities in interconnected supply chains and the need for robust security measures across all partners.
Recommendations for Consumers
While Adidas has stated that its internal systems remain unaffected, customers are advised to remain vigilant. It’s prudent to monitor accounts for unusual activity and be cautious of unsolicited communications requesting personal information.
Conclusion
As Adidas continues its investigation into the alleged data breach, the incident serves as a stark reminder of the importance of comprehensive cybersecurity measures, not only within a company’s own systems but also across its entire network of third-party partners.
