Inside This Article:
- Adidas confirmed a cyber incident earlier this year that involved the release of personal consumer data.
- The breach reportedly occurred after hackers gained access through an external vendor that performed customer service operations.
- Experts say cyber criminals are exploiting the security gaps of smaller third-party vendors, posing growing risks for the companies that rely on them.
- Cyber & Privacy Liability Insurance can help cover costs related to a data breach including customer notification, legal defense, regulatory fines, and settlements.
The personal data of some Adidas customers was compromised after hackers infiltrated a third-party vendor providing customer service support. In a May 23 statement from the German athletic brand, the company said it took immediate steps to contain the incident and notify affected customers.
The data breach primarily exposed contact information for customers who had used the company’s customer service help desk. Passwords and payment details were not compromised, the brand confirmed.
Experts say the breach is just one example of the growing cybersecurity risks associated with third-party vendors. Supply chain security is a “critical vulnerability” for businesses today and every outside vendor can be a potential point of entry, cybersecurity firm McAfee noted in a recent report about the Adidas incident.
“One of the biggest misconceptions is that companies do not have a cybersecurity exposure because they are outsourcing certain services,” said Taras Shalay, Associate Managing Director, Burns & Wilcox, Farmington Hills, Michigan. “I try to explain that the risk extends not just to them but also to their business partners.”
One of the biggest misconceptions is that companies do not have a cybersecurity exposure because they are outsourcing certain services. I try to explain that the risk extends not just to them but also to their business partners.
Companies should be aware of these potential vulnerabilities and ensure that they are protected with Cyber & Privacy Liability Insurance, which can help cover the cost of data breach response and recovery. Their third-party vendor partners should also carry this coverage.
“These cyber events happen all too often,” said Phillip Hawes, Broker, Professional Liability, Burns & Wilcox, Brokerage Division, Chicago, Illinois. “Depending on the business and how many records are affected, the claims can be extremely expensive.”
Vendors increasingly targeted by hackers
According to National Law Review, Adidas is being sued by a customer over the recent data breach — part of a growing trend of litigation attempting to hold companies accountable for third-party vendor data breaches, the publication reported. The University of Chicago Medical Center faces a similar lawsuit after a third-party breach that exposed sensitive data, with both lawsuits alleging that the organizations should have done more to protect customers.
Data from Verizon indicated that 30% of data breaches last year involved a third party, such as suppliers, vendors, hosting partners, and IT support providers, Tech.co reported in May. While large companies often have more robust cybersecurity safeguards in place, smaller third-party vendors may be easier for cyber criminals to exploit, Hawes explained.
“Cyber criminals may target somebody who is a little bit weaker in the supply chain. This is definitely becoming more prevalent,” he said. “A hacker might not be able to breach Walmart directly, for example, but if they go after a small shipper of bananas or oranges, that creates a potential opening. Claims are more likely to come from someone along the supply chain than from a Fortune 500 company.”
When a data breach is first identified, a company’s Cyber & Privacy Liability Insurance will typically respond “to determine what damage has been done and how it occurred,” Shalay said. “Through that process, the policy is going to make the insured whole, and then at the end of that process the insurance carrier will have the ability to subrogate and file a claim against whatever third parties may have been at fault.”
If a company did not carry their own Cyber & Privacy Liability Insurance policy, they could face an uninsured loss, Shalay added. “The third-party vendor may not have enough insurance to go around. If the vendor is an IT company with 500 customers and millions of records, a $1 million Cyber policy likely will not be enough to extend to all of their clients,” he said. “They would be left without any protection, and that can be really damaging.”
Companies ‘can never have enough’ liability coverage
The global average cost of a data breach is about $4.4 million, while the average U.S. data breach cost is a record-breaking $10.22 million, according to IBM’s 2025 Cost of a Data Breach Report. Costs related to data breaches can include regulatory penalties, consumer notification, monitoring services, business interruption, and defending against lawsuits. These can be covered by Cyber & Privacy Liability Insurance, while additional liability limits through an Excess Liability Insurance policy may be needed for larger-scale breaches.
For companies without insurance, a single data breach “could take them out of business,” Hawes said. “It can be devastating, especially for small business owners,” he said. “You can never have enough coverage.”
Cyber & Privacy Liability Insurance policies can vary significantly, with different insurance carriers having their own endorsements and exclusions, Shalay pointed out. Key add-ons may include coverage for wrongful collection and theft of physical goods.
“Not everyone’s exposure is exactly the same as someone else’s. You definitely want to get multiple quotes and have an experienced broker provide coverage analysis so you can make the right decision,” he said. “The policy is really meant to hold the insured’s hand through the whole process and minimize the cost from the first second of a breach.”
The [Cyber & Privacy Liability Insurance] policy is really meant to hold the insured’s hand through the whole process and minimize the cost from the first second of a breach.
Directors & Officers (D&O) Insurance, which can provide coverage for company leaders if they are personally sued over decisions made on behalf of the organization, is also important for many businesses, Shalay said.
Building cyber resilience
To reduce exposure to data breaches occurring through third-party vendors, organizations can require specific cybersecurity best practices in their contracts with outside partners, assess vendors’ history of previous cyber incidents, and conduct ongoing security reviews. Insurers are increasingly asking these risk management questions during the underwriting process, Shalay said.
“We are seeing a lot more contract requirements,” including minimum liability limits that third-party vendors must carry on their Cyber & Privacy Liability Insurance policy, he said.
Companies that rely on third-party vendors to handle sensitive customer data should be particularly cautious when selecting partners, Hawes said. “You always have to be careful — almost overcautious,” he said. “The world has become inherently riskier, but [Cyber & Privacy Liability Insurance] is cheaper than it has been in five-plus years. It is not a matter of if a data breach will occur, but when. No company is too small or too big.”
