On May 23, 2025, Adidas, the renowned German sportswear manufacturer, announced a data breach resulting from unauthorized access to a third-party customer service provider. This incident underscores the escalating risks associated with third-party vendors in the digital age.
Details of the Breach
Adidas disclosed that an external party had gained unauthorized access to consumer data through a third-party customer service provider. The compromised information primarily includes contact details of consumers who had previously interacted with Adidas’ customer service help desk. Importantly, the company assured that sensitive data such as passwords and credit card information were not affected. In response, Adidas promptly initiated measures to contain the breach and launched a comprehensive investigation in collaboration with leading information security experts. The company is in the process of notifying potentially affected customers. ([reuters.com](https://www.reuters.com/business/retail-consumer/adidas-warns-consumer-data-breach-2025-05-23/?utm_source=openai))
The Growing Threat of Third-Party Breaches
The Adidas incident is part of a broader trend of cyberattacks exploiting vulnerabilities in third-party vendors. According to a report by SecurityScorecard, approximately 35.5% of all breaches in 2024 were third-party related. This figure is likely conservative due to underreporting and misclassification. The report also highlights that 41.4% of ransomware attacks now start through third parties, with the ransomware group C10p being the most prolific user of third-party access vectors. ([darkreading.com](https://www.darkreading.com/cyberattacks-data-breaches/securityscorecard-2025-report-surge-vendor-driven-attacks?utm_source=openai))
Similarly, a study by Computer Weekly revealed that 75% of all recorded cybersecurity breaches originating through a third party occurred after other entities in the victim’s software and technology supply chain were attacked. This statistic underscores the systemic risk posed by interconnected vendor networks. ([computerweekly.com](https://www.computerweekly.com/news/366571699/75-of-third-party-breaches-target-software-IT-supply-chains?utm_source=openai))
Implications for the Retail Industry
The retail sector has become a prime target for cybercriminals, with recent breaches at companies like Dior, Marks & Spencer, Harrods, and Co-Op highlighting the industry’s vulnerability. These incidents reveal a growing pattern of attacks exploiting weaknesses in third-party relationships. Ryan Sherstobitoff, Senior Vice President of Threat Research & Intelligence at SecurityScorecard, emphasized that these attacks are not isolated events but represent a deeper, systematic vulnerability within the retail industry.
Mitigating Third-Party Risks
To address the challenges posed by third-party vendors, organizations should consider the following strategies:
1. Implement Continuous Monitoring: Move from periodic vendor reviews to real-time monitoring to detect and address vulnerabilities promptly.
2. Enforce Strict Access Controls: Ensure that third-party vendors have only the necessary access to systems and data, minimizing potential entry points for attackers.
3. Conduct Regular Security Assessments: Regularly evaluate the security posture of third-party vendors to identify and mitigate potential risks.
4. Establish Incident Response Plans: Develop and test incident response plans that include third-party vendors to ensure a coordinated and effective response to breaches.
5. Promote a Culture of Security: Foster a security-conscious culture within the organization and among third-party vendors to enhance overall cybersecurity resilience.
Conclusion
The Adidas data breach serves as a stark reminder of the critical importance of securing third-party vendor relationships. As cyber threats continue to evolve, organizations must proactively address vulnerabilities within their supply chains to protect sensitive consumer information and maintain trust.
