Nike Sued Over Data Breach That Allegedly Exposed Customer Payment Card Information

What happened

Nike is facing a proposed class action lawsuit over a January 2026 data breach that allegedly exposed customer information, including payment card data. The complaint alleges Nike discovered unauthorized access involving a third-party service provider on or around Jan. 21, 2026, and that affected customers were not notified until Feb. 25, 2026. The suit says the exposed information may have included names, email addresses, billing addresses, phone numbers, transaction information, and payment card information. In a statement cited in coverage of the filing, Nike said it had previously identified an incident involving a third-party service provider that resulted in unauthorized access to limited consumer information, and said no full payment card details or account credentials were accessed. Nike also said it worked with law enforcement and cybersecurity experts and provided notifications and support to impacted individuals. 

Who is affected

The direct exposure affects Nike customers whose information may have been contained in the compromised third-party environment. The lawsuit says the data at issue may have included contact details, billing addresses, transaction information, and payment card information, while Nike said no full payment card details or account credentials were accessed. 

Why CISOs should care

This incident matters because it centers on customer data exposure tied to a third-party service provider and has already escalated into proposed class action litigation. It also shows how breach response scrutiny can quickly extend beyond the intrusion itself to include notification timing, vendor oversight, and the precision of public statements about what payment-related data was or was not accessed. 

3 practical actions

1. Pressure-test third-party breach visibility: Ensure contracts, monitoring, and escalation paths provide fast clarity when a service provider incident may expose customer information. 
2. Separate payment data statements precisely: Distinguish clearly between payment card information, full payment card details, and account credentials when assessing impact and communicating externally. 
3. Treat notification speed as a control issue: Review whether internal and vendor-led investigations can support timely customer notification once unauthorized access is identified. 

For more news about incidents involving exposure of customer information, click Data Breach to read more.