Sportswear manufacturer Adidas has notified users about a data breach comprising encrypted passwords, usernames and contact information via its website.
According to its statement, the breach is only likely to have affected users who purchased products through adidas.com/US, however it provided no indication on the number of customers likely to have been affected.
According to Business Insider, an Adidas spokeswoman stated the number of users affected is likely to be “a few million.”
Adidas states it has notified authorities, is working with “leading data security firms” to investigate the issue and has contacted affected customers.
Its statement was published on the 28th June and it claims it identified the breach on 26th June.
Under Article 33 of the EU’s General Data Protection Regulation, organizations must disclose data breaches to supervisory authorities no later than 72 hours after they identify them.
Meanwhile, Article 3 of the GDPR determines the “territorial scope” of the Regulation and that its provisions can apply to organizations that serve EU citizens regardless where an organization is based.
Adidas notes it “has no reason to believe” that any credit card or fitness information has been accessed by unauthorized third parties.
Very little is known about the breach and Adidas had little else to say when approached for comment by news organizations.