Nike investigates possible data breach after cybercrime group claims massive leak

Global sportswear brand Nike has launched an investigation into a potential data breach after a cybercrime group claimed it leaked data tied to the company’s business operations, raising questions about the scope and sensitivity of the alleged exposure.

Nike said it is assessing a possible cybersecurity incident and emphasized that consumer privacy and data security are treated as a priority. The company said it is actively reviewing the situation to determine the facts and potential impact.

The claims were made by WorldLeaks, which said it had leaked nearly 1.4 terabytes of Nike data, including corporate and manufacturing information. Media reports have described the alleged data as containing product designs, materials, pricing details, audits, and product timelines. The group has not specified whether any personally identifiable customer information was included.

Nike was listed as a victim on the Tor-based leak website operated by WorldLeaks on Jan. 22. A countdown timer on the site indicates the data will be made public on Jan. 24 if a ransom is not paid. The attackers have not disclosed the precise nature or volume of data they claim to have taken.

It remains unclear whether the incident, if confirmed, involves information belonging to Nike customers or data tied to wholesale partners such as JD Sports.

WorldLeaks emerged in 2025 after the shutdown of Hunters International, a ransomware group active since late 2023. Unlike its predecessor, WorldLeaks does not deploy file-encrypting malware and instead focuses on data theft and extortion. The group’s leak site currently lists nearly 120 alleged victims. One of them is Dell, which said in July 2025 that only synthetic or publicly available information had been taken.

The potential incident at Nike follows a series of high-profile breach investigations across the retail and hospitality sectors. Earlier this month, Under Armour said it was investigating a cyber incident involving customer email addresses and other personal information. The breach is believed to have occurred last year and affected nearly 72 million email addresses.

In Southeast Asia, Marina Bay Sands was fined SG$315,000 after a data breach exposed the personal information of 665,495 patrons in October last year. The Personal Data Protection Commission said the exposure resulted from inadequate security controls during a software migration in March 2023, which left patron data from the ArtScience Friends webpage accessible.