Sports clothing and equipment manufacturer adidas has warned US customers of a data breach. The data breach was discovered on June 26 but not by adidas.
It appears that it was informed of the breach by a third-party who claimed to have access to some adidas customer data. That third-party may have been trying to ransom the data back to adidas.
The company has issued its own statement about the event saying:
“adidas today announced that it is alerting certain consumers who purchased on adidas.com/US about a potential data security incident. On June 26, adidas became aware that an unauthorized party claims to have acquired limited data associated with certain adidas consumers.
“adidas is committed to the privacy and security of its consumers’ personal data. adidas immediately began taking steps to determine the scope of the issue and to alert relevant consumers. adidas is working with leading data security firms and law enforcement authorities to investigate the issue. According to the preliminary investigation, the limited data includes contact information, usernames and encrypted passwords. adidas has no reason to believe that any credit card or fitness information of those consumers was impacted.
“While adidas continues its thorough forensic review, adidas is alerting relevant consumers. “
What data has adidas lost?
At the moment, first indications are that this is a limited data breach affecting adidas US customers only. However, as has been seen in other breaches such as Equifax, initial claims can be misleading. This is because multinational companies often aggregate data for analysis and marketing. As such, data sets get moved between locations. Until the investigation is complete, we cannot be sure that this is contained to US customers only.
adidas has said that the data lost includes personal data such as contact information, usernames and encrypted passwords. Importantly, it seems that credit card data and personal health data was not taken. One of the concerns will be around the encryption of the passwords and how strong that is. adidas is rightly keeping quiet about that but all users, irrespective of where they are located, should change their passwords.
Commenting on the breach David Ross, VP of Research at SecureAuth + Core Security said: “Customers who have shared contact information including addresses, email addresses, and login information, should immediately reset passwords on other accounts where they may have reused the same password. They should also be vigilant to help mitigate the potential effects of identity theft.”
Data mixing and phishing attacks
This is not the first data breach of company in the fitness and health sector. Several companies selling wearable fitness trackers have been targeted in recent years.
In March, Under Armour who sell sports clothing and fitness gear lost the details of 150 million MyFitnessPal users. In January, fitness app Strava published maps using data from fitness trackers. It exposed the training routes of military personnel and the layouts of some bases. Fitbit, the top selling fitness wearable, has also been hacked and lost a large amount of data.
If adidas does not get this data back it will almost certainly be mixed with the data from these other breaches. This allows hackers to create very effective phishing messages using the broad mix of data. It increases the likelihood that users will click on the links in the messages and download malware to their machines.
What does this mean?
Like many breaches, it is not just the data stolen that is the real risk. It is the ability of cybercriminals to mix and mine that data with other stolen data sets. This provides them with a detailed overview of their victims. The more detailed that data becomes, the more likely it is that the victim will fall victim to a phishing or other cyberattack.
It will take some time to know exactly what has happened and how it occurred. adidas is doing all the right things in bringing in outside expertise and warning both users and regulators. It is also being polite but firm in stonewalling press enquiries about the details of this case. It wants to make sure it has as much information as possible before making any more statements. This is a problem for many companies who allow the breach story to drive their investigation rather than the other way around.
While adidas is currently convinced this breach affects “just a few million consumers” there is always the risk of a wider attack. One of the questions the investigators will be looking at is how this occurred. Was it an insider attack? Was it poor cyber security? Did the attackers use stolen security credentials? Was it caused by a third-party piece of software?
According to Ross: “Retailers will continue to be prime targets for attackers due to the valuable nature of personal and payment data they hold. Retailers have a responsibility to keep consumers’ personal information safe and implement measures that detect and mitigate these types of attacks. Yet, despite increased spending on cybersecurity capabilities, breaches still continue to rise. Far too often, we see organisations creating “security silos” by approaching network and endpoint security separately from identity management initiatives, which limits their ability to mitigate risks and detect breaches.”
For now, users should change their password irrespective of which adidas site they shop on.