Adidas becomes latest UK retailer to be hit by cyber attack
Adidas, a global clothing and footwear brand, has joined the list of UK retailers to be hit by a cyber attack in the last few weeks. This comes following similar, though believed unrelated incidents on retailers such as Harrods, The Co-Op and Marks & Spencer, with the later expected to cost the company roughly £300 million.
Adidas has confirmed that the attackers behind this incident have obtained the personal data of some customers who had previously been in touch with their help desk. The compromised data mainly consists of contact information of the aforementioned individuals and does not contain account passwords or any payment information.
When contact information is compromised in this way, the most significant risk to impacted individuals will always be attempted phishing scams, where attackers use information to pretend to be someone else to take even more data, such as account passwords. It is recommended that anyone who has been notified by Adidas that their data has been remains vigilant of these attempted attacks.
The data breach was discovered on 23rd May, and while investigations are ongoing, it’s believed that the attack involved unauthorised access to a third-party customer service provider, though which the attackers were able to gain access to and extract the personal data. This is notable as it is very similar to the methods believed to be used for the recent Co-Op and Marks & Spencer attacks.
In those attacks, it is believed that a form of attack known as a ‘social engineering’ attack was used, where attackers rely on human error to gain unauthorised access to systems. This often comes in the form of things such as emails pretending to be someone else who works in the business and asking for login credentials for systems.
In a post on their website, Adidas said “We remain fully committed to protecting the privacy and security of our consumers, and sincerely regret any inconvenience or concern caused by this incident”.
What are the key takeaways from this?
Remail vigilant of attempted social engineering attacks: Social engineering attacks are becoming more and more common, and it’s not just large companies like Adidas that are vulnerable to being targeted. It’s vital that all staff remain vigilant and make sure that the person asking for information is who they say they are. One of the best ways to achieve this is by having staff complete frequent refresher training on the things to look out for regarding attempted attacks.
Check out PRIVACY HELPER’s Staff Training page to learn more about the benefits of frequent staff training.
Third-party due diligence is key: One key similarity between this incident and other recent ones, such as the attacks on Marks & Spencer and Coinbase is that rather than targeting the companies directly, they went after third-party suppliers, knowing that they often act as weak points to the security of a business. Under GDPR, As a data controller, you are responsible for any processing activities that are carried out and should one of your suppliers suffer a breach involving your personal data, if the appropriate due diligence has not been completed, as the data controller, you are likely to be held be liable.
Check out our page on Supplier Due Diligence to see what PRIVACY HELPER can do to ensure that your suppliers are operating in the appropriate manner.
Remain transparent when an incident happens: Adidas chose to take control of the narrative early by being clear about the incident and the impact it may have on customers. Being honest and upfront about an incident is the best way to maintain public trust.
Next Steps
Ensuring that you handle, process and store personal data in a way that’s in line with the law isn’t easy. To be confident that you’re compliant, and to address any concerns you may have, contact PRIVACY HELPER today, and let us remove the stress of managing data compliance in your business.
