Adidas leak exposes third-party risk, warns Shobhit Gautam

June 4, 2025

A recent incident involving Adidas has sparked concerns about the cybersecurity practices of third-party vendors in the retail sector. According to a BBC report, the company was caught in a data exposure situation stemming from vulnerabilities tied to its online store operations. Although no payment information was directly leaked, the breach allowed sensitive customer details to be accessed, including order data and contact information.

The episode is a fresh reminder that even globally recognised brands are not immune to the cascading effects of weak links within their digital ecosystems. Cybersecurity experts are now urging retailers to reevaluate how they manage their vendor relationships—especially those involving customer-facing APIs and backend infrastructure.

Shobhit Gautam, Staff Solutions Architect at HackerOne, emphasised the broader implications of the incident:

“The recent Adidas incident underscores the importance of holding third-party vendors to security standards that match or exceed those of the contracting organisation.

Organisations must enforce robust data protection practices across their entire vendor ecosystem. Key security measures should include:

Encrypting all sensitive data, including customer and payment information, both at rest and in transit.

Implementing proper data classification and controls to ensure appropriate handling of different data types.

Requiring third-party providers to share results from regular security testing and disclose any outstanding vulnerabilities or remediation efforts.”

Gautam added, “It’s essential for online retailers to not only carefully vet third-party APIs and features before implementation, but also to ensure these vendors proactively and continuously assess their security posture, through efforts like pentests and Vulnerability Disclosure Programs, to maintain strong software supply chain hygiene.”

As e-commerce platforms continue to integrate a wide array of third-party technologies to enhance user experience, the Adidas case serves as a cautionary tale. Vendor oversight once considered a legal or operational matter, is now clearly a frontline cybersecurity priority.