A Data Breach at Adidas' Online Shop Hits Millions
Large sporting events like the FIFA World Cup are very important for sports apparel manufacturers. With millions of eyeballs focused on people wearing their products, the attention paid to the brand is enormous. Last week, Adidas, one of the names in this industry, attracted attention to itself for all the wrong reasons.
On June 26, the German sports equipment giant was contacted by a person who claimed to have stolen "limited" data on some Adidas customers. An investigation was launched, and the security hole was apparently plugged. A couple of days later, Adidas issued a press release. Let's break it down and see what we can gather from it.
The good news
The investigation is still ongoing, but Adidas was quick to point out that no credit card or other financial information has been exposed which is definitely a good thing. After analyzing the PR announcement, we can find evidence suggesting that Adidas is handling the incident responsibly.
The company's IT team asked security experts and law enforcement agencies to help them investigate the issue and mitigate the risks. The announcement also states that once they figure out exactly what happened, Adidas will contact all affected customers.
The not-so-good news
Although we can find one or two good things, Adidas' announcement is too short and uninformative. Indeed, the investigation is not over, but the press release can't help us get even an idea of how bad the incident is. Poked by the media, representatives did say that "a few million" US customers are likely affected. It's hardly a conclusive number, and it could change, but it's fair to say that Adidas could have done worse than put it in the press release, just to give people a clue as to how bad things are.
The part of the press release that explains what sort of data was stolen is also problematic. We've seen our fair share of data breach announcements, and we can safely say that a lot of the people writing them aren't entirely aware of the difference between "encrypted passwords" and "hashed and salted passwords." And if those people haven't a clue, users are pretty much stuck too.
This is what Adidas gave us: "According to the preliminary investigation, the limited data includes contact information, usernames, and encrypted passwords."
If we assume that the passwords are indeed encrypted, then we've got bad news. Protecting consumers' passwords with reversible encryption is not a good idea. Let's have a look at a more optimistic scenario.
Imagine the scene: Adidas is preparing the announcement and a PR person is talking to a security specialist to find out what happened:
Security specialist: The passwords are hashed and salted, so people have nothing to worry about.
PR person: Hashed and what?
Security specialist: Just tell them that the passwords were encrypted. People automatically associate encryption with security.
PR person: Sounds good to me.
This, admittedly, is based on the assumption that marketing people don't understand the principles of password storage which could be completely wrong. Even if we take for granted that Adidas is a security-minded company that hashes its customers' passwords, we still can't tell people that they're safe. Not least because there are many hashing algorithms, and some are more secure than others. We can't guess which one (if any) Adidas used.
The wording in the press release leaves customers with no other choice but to change their password at Adidas' US shop. If it's reused on other websites, it should be changed there as well. Since their email addresses have probably been exposed, Adidas customers should also be wary of phishing attacks.
Like it or not, data breaches are very much a part of our online lives now, and you should be aware of what you need to do when your data gets leaked. As you can see, this includes spotting some unconvincing wording in the companies' post-incident press releases.