EvilCorporations.com — Corporate Accountability Project
🔴 Class Action · Data Breach · Nike, Inc. · 2026
Nike Stored Your Payment Data Without Proper Encryption. Then Hackers Took It. Then Nike Waited a Month to Tell You.
A class action lawsuit filed March 2026 reveals that Nike failed to protect customer names, billing addresses, phone numbers, and payment card details, then concealed the breach for over 35 days.
TL;DR
Cybercriminals broke into Nike’s inadequately secured network and stole the personal and payment information of thousands of customers. Nike discovered the breach on January 21, 2026, but did not tell a single affected customer until February 25, over a month later. During that window, stolen data was already circulating on the dark web. Nike stored sensitive customer data without adequate encryption and failed to meet basic industry cybersecurity standards. This was not an unavoidable attack. Experts say data breaches like this are preventable. Nike chose cheaper, weaker security over its customers’ safety.
Nike collected your data. Nike failed to protect it. Nike then hid the breach while criminals used it. That is not a technical failure. That is a choice, and it has consequences for real people.
35+
Days Nike hid the breach
$5M+
Amount in controversy (floor)
100+
Class members (minimum)
6
Counts filed against Nike
⚠️
Core Allegations
Core Allegations
What Nike did
| 01 | Cybercriminals accessed a portal hosted by a third-party service provider and infiltrated Nike’s inadequately secured computer environment, gaining access to files containing sensitive customer data including names, email addresses, billing addresses, phone numbers, transaction information, and payment card details. | high |
| 02 | Nike discovered the breach on or around January 21, 2026, but did not begin notifying affected customers until February 25, 2026, a delay of over 35 days during which stolen data was already being sold and traded on the dark web. | high |
| 03 | Nike stored customers’ personally identifiable information in an unencrypted condition, violating its own obligations and basic industry standards for data security, making the breach far more damaging than it would have been with proper encryption. | high |
| 04 | Nike’s breach notice failed to inform customers when the breach occurred or for how long the intrusion had been active, leaving victims unable to assess the scope of their exposure or take targeted protective action. | high |
| 05 | The lawsuit alleges Nike “intentionally, willfully, recklessly and/or negligently” failed to implement adequate measures to safeguard customer data, including failing to follow required protocols on encryption even for internal use. | high |
| 06 | Nike allegedly failed to meet minimum standards of both the NIST Cybersecurity Framework Version 2.0 and the Center for Internet Security’s Critical Security Controls, two foundational frameworks for reasonable cybersecurity readiness. | high |
Regulatory Failures
How oversight broke down
| 01 | Nike’s conduct violates Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices in commerce. The FTC has long established that failing to maintain reasonable data security for consumer information is an unfair practice under this statute. | high |
| 02 | Nike violated California’s Consumer Privacy Act (CCPA, Cal. Civ. Code § 1798.100 et seq.) by failing to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information it collected and stored. | high |
| 03 | Nike violated the California Customer Records Act (Cal. Civ. Code §§ 1798.80 et seq.) by failing to provide legally compliant and timely breach notification to all affected individuals, including failing to disclose required details such as the date range of the breach. | high |
| 04 | Despite the FTC’s published guidelines specifically recommending encryption of stored data, intrusion detection systems, and verified third-party vendor security, Nike allegedly failed to implement these widely available, well-documented protections. | med |
| 05 | Nike also failed to verify that its third-party service provider, through whose portal the breach occurred, had implemented reasonable security measures, a basic due-diligence obligation under FTC guidelines for businesses that use external vendors to process customer data. | high |
Profit Over People
Security costs cut, customers paid the price
| 01 | The lawsuit alleges Nike “consciously and opportunistically calculated to increase its own profits at the expense of Plaintiff and Class members” by skipping the costs of adequate data security, training, and protocols that industry peers routinely implement. | high |
| 02 | Rather than investing in reasonable security infrastructure, Nike is alleged to have enriched itself by saving costs it was contractually and legally obligated to spend on protecting customer data. Customers received goods from Nike while unknowingly subsidizing Nike’s security negligence with their own safety. | high |
| 03 | Customers who provided their payment card information and personal details to Nike did so with the reasonable expectation that Nike would comply with its obligations to safeguard that data. Nike collected data required to complete purchases and then failed to protect it. | med |
Economic Fallout
Financial harm to real people
| 01 | Victims face imminent and ongoing identity theft risk that may require lifetime credit and identity monitoring. The complaint states that because identity thieves now hold their information, “Plaintiff and all Class members will need to have identity theft monitoring protection for the rest of their lives.” | high |
| 02 | Victims have already incurred out-of-pocket expenses for identity monitoring services, credit freezes, financial account reviews, and time spent researching protective measures, all costs that Nike’s negligence directly caused. | high |
| 03 | Stolen payment card information and personal identifiers can be used to open financial accounts, apply for credit, collect government benefits, and commit fraud, activities that damage victims’ credit scores and increase their borrowing costs, insurance premiums, and deposit requirements for years. | high |
| 04 | The U.S. Government Accountability Office has documented that stolen data may be held and traded for up to a year or more before criminals activate it for fraud, meaning Nike customers could face ongoing harm from this breach for years beyond 2026. | high |
| 05 | The diminished value of victims’ personal information, which was entrusted to Nike with the expectation of security, constitutes a quantifiable economic harm. There is a well-established national and international market for personal data, and its unauthorized exposure depreciates its value and destroys the privacy interest it represents. | med |
Corporate Accountability Failures
Weak internal governance, delayed response
| 01 | Nike waited over 35 days to inform customers of the breach after discovering it, preventing victims from taking protective action during the most critical window after a data theft. Every day Nike stayed silent was another day criminals had an undisturbed head start. | high |
| 02 | Nike’s breach notice failed to specify when the breach occurred, how long the intrusion lasted, or whether certain categories of sensitive data such as driver’s license numbers were included, leaving affected customers unable to make informed decisions about their own protection. | high |
| 03 | Nike’s post-breach notice did not specify what steps the company has taken to prevent future breaches, providing no accountability or assurance to the millions of customers whose data the company still holds. | med |
| 04 | Nike knew data breaches were a foreseeable risk, had access to documented FTC guidelines and NIST frameworks for prevention, and still failed to act. The complaint characterizes this failure as “intentional, willful, reckless and/or negligent,” not as an unavoidable accident. | high |
🕐
Timeline of Events
Jan 21, 2026
Nike discovers that an unauthorized party accessed a portal hosted by a third-party service provider and infiltrated its computer environment, stealing customer data including payment card details.
Jan 21 – Feb 24
Nike conducts a forensic investigation but does not notify any affected customers. During this period, stolen data is alleged to have already been sold and circulated on the dark web.
Feb 25, 2026
Nike begins mailing breach notices to affected customers, more than 35 days after discovering the breach. The notice fails to disclose when the breach occurred or how long it lasted.
Mar 24, 2026
Class action lawsuit filed in the U.S. District Court for the District of Oregon by plaintiff Maria Gomez on behalf of all affected customers across the United States.
💬
Direct Quotes from the Complaint
QUOTE 1
Nike’s intentional failure to protect customer data
Core Allegations
“Defendant disregarded the rights of Representative Plaintiff and Class Members by intentionally, willfully, recklessly and/or negligently failing to take and implement adequate and reasonable measures to ensure that Representative Plaintiff’s and Class Members’ Private Information was safeguarded.”
💡 This language is damning because it goes beyond accidental negligence. The complaint alleges Nike actively chose not to protect customer data, not that it simply made a mistake.
QUOTE 2
Unencrypted data stored in vulnerable condition
Regulatory Failures
“The Private Information was maintained and/or exchanged, unencrypted, in Defendant’s systems and were maintained in a condition vulnerable to cyberattacks.”
💡 Encryption is a basic, widely available, inexpensive protection. Nike is a company with billions in revenue. Storing customer payment data unencrypted is not a resource problem. It is a priority problem.
QUOTE 3
Nike profited by skipping security costs
Profit Over People
“Defendant, upon information and belief, instead consciously and opportunistically calculated to increase its own profits at the expense of Plaintiff and Class members.”
💡 This frames Nike’s negligence not as a budget oversight but as a deliberate financial calculation: lower security spend means higher profit margins, with customers bearing the risk.
QUOTE 4
Lifetime identity theft risk for victims
Economic Fallout
“Because identity thieves have their Private Information, Plaintiff and all Class members will need to have identity theft monitoring protection for the rest of their lives.”
💡 This is not hyperbole. Once personal data is on the dark web, it circulates indefinitely. Nike’s negligence created a permanent, lifelong burden for its customers.
QUOTE 5
The breach was entirely preventable
Core Allegations
“None of this should have happened. The Data Breach was preventable.”
💡 The complaint cites data security experts who confirm that nearly all major breaches result from failure to implement available protections. Nike had the resources and the knowledge. It chose not to use them.
QUOTE 6
Dark web sale of stolen customer data
Core Allegations
“The unauthorized third-party cybercriminal gained access to the Private Information, viewed the Private Information on Defendant’s network, and has engaged in (and will continue to engage in) misuse of the Private Information, including marketing and selling Plaintiff’s and Class members’ Private Information on the dark web.”
💡 This is not a theoretical risk. The complaint asserts active, ongoing misuse of stolen Nike customer data on criminal marketplaces at the time the lawsuit was filed.
QUOTE 7
Nike knew the risk and did nothing sufficient
Regulatory Failures
“Defendant was at all times fully aware of its obligation to protect the Private Information of Plaintiff and Class members. Defendant was also aware of the significant repercussions that would result from its failure to do so.”
💡 Nike cannot claim ignorance. The complaint establishes that the company understood both its legal obligations and the foreseeable consequences of failing to meet them. It failed anyway.
❓
Commentary
Why did Nike wait over a month to notify customers?
▾
The complaint does not provide Nike’s official explanation for the delay, and Nike’s own notice letter failed to justify it. What is clear from the legal record is this: every day Nike stayed silent was another day cybercriminals had undisturbed access to stolen customer data. A 35-day delay in notifying breach victims is not a logistical hiccup. It is a failure that directly increased the harm to real people whose payment details were already circulating on criminal marketplaces.
Was this breach truly preventable?
▾
Yes. The complaint cites data security experts who state that in almost all cases, data breaches that occur could have been prevented by proper planning and the correct design and implementation of appropriate security solutions. Nike is a Fortune 500 company with billions in annual revenue. Basic protections like encryption, NIST-compliant security controls, and proper third-party vendor vetting are not exotic luxuries. They are standard practice. Nike allegedly did not implement them. That is not bad luck. That is a decision.
What information was stolen from Nike customers?
▾
According to Nike’s own breach notice, the stolen data includes names, email addresses, billing addresses, phone numbers, transaction information, and payment card details. The complaint also notes that Nike failed to clarify whether driver’s license numbers were among the compromised data, leaving victims in the dark about the full scope of their exposure. Payment card data combined with personal identifiers gives criminals everything they need to commit identity fraud, open credit accounts, and drain financial resources.
How serious is this lawsuit?
▾
This is a federal class action filed under the Class Action Fairness Act with an amount in controversy exceeding $5 million. It asserts six separate counts against Nike including negligence, breach of implied contract, unjust enrichment, violations of California’s CCPA, violations of the California Customer Records Act, and a claim for declaratory and injunctive relief. The lawsuit seeks actual damages, punitive damages, restitution, attorneys’ fees, and court-ordered security reforms. The strength of the claims is supported by Nike’s own breach notice and documented security failures. This is not a frivolous action.
What can I do to protect myself if I was a Nike customer?
▾
If you received a breach notice from Nike or believe you were a customer whose data was exposed, take these steps immediately. First, place a credit freeze with all three major credit bureaus (Equifax, Experian, TransUnion), which is free and prevents new accounts from being opened in your name. Second, place a fraud alert on your credit file. Third, monitor your bank and credit card statements closely for unauthorized charges. Fourth, consider enrolling in a credit monitoring or identity theft protection service. Fifth, if you are a California resident, you may have rights under the CCPA. Contact an attorney about joining the class action or filing your own claim. The case is Gomez v. Nike, Inc., Case No. 6:26-cv-00564 in the District of Oregon.
Why does Nike still hold customer data after this breach?
▾
The complaint specifically calls this out as a continuing danger. Nike still possesses the private information of all affected customers and has not specified what security improvements it has made since the breach. This means the same customers who were exposed once remain at risk. The lawsuit seeks a court order requiring Nike to implement mandatory security reforms including third-party penetration testing, data segmentation, encrypted transmission, and regular security audits, before those customers can be considered reasonably safe.
💡 Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
