Dive Brief:
- Adidas AG has advised "relevant" customers of its adidas.com/U.S. e-commerce site of a potential incident involving internet security, according to a press release. The company became aware that on June 26, an unauthorized party said they acquired a limited amount of data from certain Adidas customers.
- The data involves millions of customers, an Adidas spokeswoman told the Los Angeles Times. The compromised records include contact information, usernames and encrypted passwords, according to a preliminary investigation. In the press release, Adidas said it does not believe that consumer credit card or fitness information was affected, and it is continuing with a "thorough forensic review."
- At least two other companies reported security breaches in recent weeks, both in the U.K. One was food retailer Fortnum & Mason – known as the "Queen’s grocer" – which had 23,000 customer details breached, including addresses and phone numbers, reported The Independent. The other was Ticketmaster UK, according to TechCrunch, which reported on June 23 that it had identified malicious malware that affected almost 5% of its customers who used a chatbot, making names, email addresses, telephone numbers, payment details and login information from February 2017 to June 23 vulnerable. TechCrunch said the company was informed of the breach back in April by U.K. digital bank Monzo.
Dive Insight:
Time marches on – and so do data thieves. Consistent with their approach of targeting specific business segments, the Adidas breach reveals a pattern of going after sporting goods and health and fitness related companies. It comes on the heels of several additional breaches effecting consumers including one a few months impacting Under Armour’s MyFitnessPal app in April, which hit about 150 million accounts. Under Armour uses the food and nutrition app to promote its e-commerce sales. Also in April, a breach of Panera Bread’s website, exposing 37 million customer records, became known. Panera has cultivated an image of being a health-oriented fast-casual restaurant. It fits the pattern.
Other recent data breaches of retail entities included the point-of-sale systems at some Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores last year, which led to the theft of about 5 million credit and debit card numbers. That breach of the three Hudson’s Bay Co. retail brands was said to be the biggest and most damaging in retail.
There have been data breaches that resulted from malware being planted on the POS systems in stores operated by The Buckle, Eddie Bauer, Kmart and Forever21. Sears alerted customers to a "security incident" on April 4 that also affected Kmart and Delta airlines, which uses the same online support service as Sears, reported Business Insider. Best Buy, Saks Fifth Avenue, Lord and Taylor, Sonic, Whole Foods, Gamestop and Arby’s are also on Business Insider’s list of retailers breached in the last year.
About 66% of retailers and wholesalers surveyed by security technology company Radware admitted to paying ransom to a hacker within the last year, according to Radware’s 2018 Executive Application and Network Security Report. This violates common wisdom about how to handle ransom-ware attacks. Also several retail and payments companies have joined to create the Secure Payments Partnership, which is working toward faster and more secure payment systems.
A commonality between the Panera and Ticketmaster UK breaches was a hesitation to reveal the damage immediately. Adidas avoided that trap.
"Each time a new data breach is disclosed from a 'trusted' retailer, consumer trust in that brand diminishes," said Joe Stuntz, vice president of cybersecurity at One World Identity in a statement emailed to Retail Dive. "To Adidas’ credit, they disclosed the breach quickly, because, as we’ve seen with other incidents, no breach stays secret for long, and the appearance of attempting to cover it up can further weaken consumer confidence in that brand."
The growth of e-commerce and mobile payments has resulted in a large opportunity for hackers to infiltrate retail databases and steal customer data, said George Avetisov, CEO of HYPR in an emailed statement. "From this year’s Saks Fifth Avenue breach to now Adidas, the common thread these incidents share is the centralization of massive amounts of customer data – this includes payment and retail account login details, bank card numbers and more. This creates a large attack surface and an easy, single point of failure that hackers love," he said.
"Retailers and payment service providers need to remove the target through decentralization, where customer data is stored on the customer’s mobile device. This removes the target and forces hackers to go from device to device to attempt obtaining even one set of credentials, which will ultimately deter them. If not, we can expect to see more of these retail breaches in 2018," Avetisov said.