Nike Data Breach: 1.4TB Stolen in Ransomware Attack

Global sportswear giant Nike has confirmed a major security incident today, April 27, 2026. A group claiming to be the "Crimson Collective" has leaked samples of what they claim to be a 1.4 terabyte dataset stolen from Nike's internal corporate servers.

What was Stolen?

Samples released on an extortion site include high-resolution 3D CAD designs for 2027 footwear models, internal supply chain logs from Southeast Asian factories, and limited employee records. Cybersecurity firm Palo Alto Networks indicates the breach originated through an unpatched vulnerability in a legacy vendor portal that was recently integrated into Nike's central ERP system.

The Crimson Collective Emerges

This incident marks the third major "Tier 1" hit for the Crimson Collective in 48 hours, following the Brightspeed and Itron attacks. The group appears to be utilizing agentic ransomware—self-propagating code that uses local LLMs to identify high-value files and exfiltrate them before encryption begins. This "exfiltration first" approach is designed to bypass standard EDR (Endpoint Detection and Response) solutions.

Nike's Response

Nike has activated its incident response plan and is working with federal law enforcement. The company stated that customer payment information is stored on separate, tokenized systems and does not appear to be part of the exfiltrated 1.4TB dump. However, all Nike employees have been instructed to perform a mandatory password reset.

Lesson for Enterprise Tech

The Nike breach highlights the extreme risk of M&A integration. Legacy systems brought in through acquisitions often provide the "soft underbelly" for sophisticated actors. In the age of AI-driven attacks, security audits of third-party portals must be continuous rather than periodic.