A data breach reported by Adidas last week nabbed customer login and password details and contact information but is not believed to include sensitive credit card numbers or fitness data, the company said.
The German footwear powerhouse said it noticed the breach on June 26, an incident that affected a limited number of customers who shopped on its adidas.com/us e-commerce website. It’s reportedly working with data security experts and law enforcement groups to determine how the breach occurred and who are the culprits behind it. Adidas began notifying affected customers even as its forensic investigation into the matter continues.
The company declined to comment further or detail how many customers are known to be affected.
The breach comes in the wake of the May 25 enforcement of the European Union’s (EU) stringent General Data Protection Regulation (GDPR), which requires greater transparency regarding the kinds of data companies can collect and store from customers residing in the EU—and metes out stiff penalties for data security incidents. Though the Adidas breach does not seem to fall under this new regulation because it affected its U.S. site and not a site serving the EU, its rapid response could reflect how GDPR-compliant businesses are expected to handle such incidents—reporting breaches in just 72 hours.
So far, 2018 has brought a rash of retail data security compromises, including a POS breach involving Saks Fifth Ave, Saks OFF Fifth and Lord & Taylor. In March, Under Armour said a breach compromised the data of 150 million MyFitnessPal app users, and that month Sears also reported that online customers’ data was hijacked, though in-store shoppers were not affected.
What’s more, Facebook’s scandal with Cambridge Analytics has kept the spotlight on data-privacy issues amid a growing consumer awareness over which companies have and share their personal information.