AI Autopsy: Adidas Cyber Attack

How did adversaries gain access to the sports giant’s data, and what has the investigation uncovered so far? Kate O’Flaherty performs a complete autopsy on the Adidas cyber attack

In May 2025, sports retailer Adidas issued a statement warning customers that their data had been stolen following a cyber attack on a third-party provider.

It’s not the first time Adidas has been the victim of a breach. Recently, Adidas admitted to an incident affecting people who had contacted customer service centres in South Korea and Turkey in 2024. In 2018, Adidas suffered a breach on its US website.

The latest Adidas incident comes amid a wave of numerous high-profile breaches in the retail sector, including M&S, Harrods and the Co-op.

In this rather gruesome autopsy of the Adidas cyber attack, we examine how adversaries may have gained access to the sports giant’s data, including details of what the investigation has uncovered so far.

How did attackers gain access?

Although Adidas hasn’t confirmed the specific entry vector, Gary Penolver, CTO at Quod Orbis, thinks that adversaries could have taken advantage of compromised API keys or OAuth tokens that allowed direct access to sensitive systems.

Alternatively, they might have targeted staff with phishing attacks to steal credentials, he tells Assured Intelligence. “Another route could have been the exploitation of unpatched vulnerabilities in public-facing applications, or flaws within open-source software components,” he suggests.

“Once in, the attackers bulk extracted data in the areas they had access to” Jeff Watkins 

The evidence suggests a configuration-based attack, possibly via weak credentials, exposed APIs or open ports – rather than anything more advanced, such as malware infiltration, Jeff Watkins, chief technology officer at CreateFuture, tells Assured Intelligence. “Once in, the attackers bulk extracted data in the areas they had access to.”

Another likely scenario is misconfigured cloud infrastructure on the supplier’s side, such as overly permissive identity and access management (IAM) roles in Amazon Web Services or Azure environments, says Penolver.

What did Adidas’ adversaries do once in, and how did they avoid detection?

Once they gained access, adversaries could have used a tool similar to Cobalt Strike – a penetration testing tool used to identify vulnerabilities in a company’s network. Another scenario might have seen attackers deploying remote access trojans (RATs) to maintain control and navigate within the supplier’s network, Penolver hypothesises.

Attackers were also able to hide. Available indicators suggest adversaries used “sophisticated data exfiltration methods”, potentially via encrypted channels such as Transport Layer Security (TLS) or through DNS tunnelling to avoid detection, says Penolver.

At the same time, the attackers probably employed living-off-the-land binaries (LOLBins) techniques, using legitimate system tools or sanctioned third-party applications to remain stealthy.

Lateral movement could have been facilitated through compromised Remote Desktop Protocol (RDP) credentials or flaws in Active Directory configurations, especially if the supplier operated a hybrid or domain-trusted environment, Penolver adds.

The fact that the attack was successful implies that the supplier’s detection capabilities were “inadequate”, with existing control gaps possibly resulting in privilege escalation or lateral access, according to Penolver.

What has the investigation uncovered so far?

Adidas confirmed that the compromised data did not include passwords, credit card information or any other payment-related details. However, attackers did gain access to the contact information of customers who had previously interacted with the company’s help desk.

“Adidas’s ability to isolate the incident to a third party suggests that some form of network segmentation and logging was in place” Gary Penolver

While public details remain limited, technical insights shared by the sports giant so far trigger some inferences about what happened, says Quod Orbis’ Penolver. “Adidas’s ability to isolate the incident to a third party suggests that some form of network segmentation and logging was in place.”

There has been no public evidence of ransomware or destructive payloads, which implies this was a “targeted data exfiltration operation, rather than a broad disruptive attack”, he adds.

The primary root cause analysis suggests that call centre data retention was to blame, with old transcripts and records retained and accessible beyond active service operations. Off the back of this, Adidas is now accelerating its zero trust rollout, strengthening multifactor authentication (MFA) and increasing vendor oversight and security expectations, CreateFuture’s Watkins says.

What consequences does Adidas now face?

While payment details remain safe, the breach did expose personal information such as names, contact information and possibly purchase order histories. In addition, if login credentials were accessible within the compromised environment, there’s also a risk of credential theft, Quod Orbis’ Penolver warns.

This could lead to Adidas facing regulatory consequences, as well as the inevitable damage to its reputation.

The repercussions could be particularly bad if regulators determine that vendor oversight was insufficient, Tim Grieveson, CSO at ThingsRecon, tells Assured Intelligence.

How good was Adidas’ response?

In Adidas’ defence, the firm acted swiftly to mitigate the damage, containing the breach immediately and contacting impacted customers as soon as possible. Adidas also connected with external security experts to “understand what happened” and “work out how to build resilience for the future”, Pierre Noel, field CISO EMEA at Expel, tells Assured Intelligence.

“They lacked vendor diligence and oversight, active monitoring, and data handling hygiene” Jeff Watkins

To its credit, Adidas responded quickly, which could have limited further damage, agrees ThingsRecon’s Grieveson. The incident response communications were clear, confirming that no payment or password data was affected, he says. “The company notified impacted customers and met its regulatory disclosure obligations. That is the minimum expected, but it’s still essential.”

Adidas did (and is still doing) a lot right to remedy things, says CreateFuture’s Watkins. “They had enough segmentation to limit the blast radius, and they’re accelerating the rollout of modern cybersecurity measures. However, they lacked vendor diligence and oversight, active monitoring, and data handling hygiene, which must be addressed.”

There were also gaps in the sports brand’s communication. Adidas initially left out “basic details”, including which supplier was compromised and when the breach occurred. “That lack of clarity has caused some concerns about the scale of the issue and potential impact on other organisations,” says Grieveson.

Adidas is now reviewing its vendor management processes and reportedly updating its supplier contracts to include more precise terms around incident reporting and liability. “These are important steps, but they are reactive,” says Grieveson. “Stronger controls and visibility should ideally be in place before any data is compromised.”

How should CISOs respond?

Adidas’ response to the latest supplier breach is a mixed bag, so what can CISOs learn from it?

Preparation for incidents is a crucial factor in ensuring you are in a strong position from the outset. In the wake of the Adidas breach, Richard Breavington, partner and head of cyber and tech insurance at law firm RPC, predicts an increased focus on the robustness of incident response plans, particularly across international operations.

“CISOs will be under pressure to show how prepared their organisations are – not just to detect and respond to threats, but to sustain core operations and protect brand trust if a breach occurs,” he tells Assured Intelligence.

At the same time, supply chain threats are something all businesses should be aware of. To protect yourself from these attacks, cybersecurity should be embedded into the business, with third-party risk management and regular audits treated as “a core part of that effort”, says ThingsRecon’s Grieveson. “If external suppliers have access to systems or data, they must be held to the same security standards as internal teams, backed by clear governance, oversight and accountability.”