Adidas investigates data breach at independent licensing partner

A data security incident at an independent Adidas licensing partner has brought third-party cybersecurity risk back into the spotlight for the sporting goods industry, as criminals claiming ties to the notorious Lapsus$ hacking group say they breached the German multinational’s extranet via a martial arts products distributor.

An Adidas spokesperson confirmed to The Register that the company is investigating “a potential data protection incident at one of our independent licensing partners and distributor for martial arts products.” The spokesperson stressed that the affected entity “is an independent company with its own IT systems” and said there is “no indication that the adidas IT infrastructure, our own e-commerce platforms, or any of our consumer data are affected by the incident.”

The claims surfaced 16 February on BreachForums, posted by someone purporting to be a member of Lapsus$ – a cybercriminal collective behind high-profile attacks on Nvidia, Microsoft, Samsung and Okta during a 2021–2022 spree. The group’s modus operandi typically involves phone-based social engineering, SIM swapping and employee bribery to harvest credentials and bypass multi-factor authentication.

This is the second confirmed third-party breach affecting Adidas in under a year. In May 2025, the brand notified customers that an unauthorised individual had accessed data held by a third-party customer service provider. That incident, reported at the time by The Register, did not involve core Adidas systems but exposed consumer contact information for an undisclosed number of people.

Adidas declined to specify when the breach occurred, which data categories were compromised, or what remediation steps have been taken. As of publication, no separate official statement had been issued beyond the spokesperson’s comment to The Register.