editorially independent. We may make money when you click on links
to our partners.
Learn More
Nike is investigating a potential cybersecurity incident after an extortion group known as World Leaks claimed it stole and leaked a massive trove of internal company data.
The group alleged it exfiltrated 1.4 terabytes of files from the global sportswear brand, raising concerns about exposure of sensitive corporate and operational information.
“What’s notable about the Nike data breach isn’t just that a global brand may have been compromised, which is becoming familiar, but what was allegedly taken by WorldLeaks,” said Matt Hull, global head of Threat Intelligence at NCC Group in an email to eSecurityPlanet.
He explained, “The apparent focus on R&D, manufacturing and employee data underscores how supply chain vulnerabilities have become a primary target for cyber criminals.”
Matt added, “The possible exposure of operational and supply chain data raises broad concerns about resilience, visibility and third-party risk management. The potential Nike breach reinforces the need for supply chain security to be treated as a core business risk.”
What the Alleged Nike Breach Could Mean
If confirmed, the incident would highlight how global brands remain prime targets for extortion-focused attacks beyond customer data.
World Leaks claims the stolen files include nearly 190,000 documents tied to Nike’s internal business operations, which could have implications for intellectual property, supply chain resilience, and third-party risk.
The allegations surfaced after World Leaks added Nike to its dark web data leak site, though the listing was later removed before widespread publication.
This type of removal often signals negotiations between attackers and victims, though Nike has not confirmed whether discussions occurred or whether any ransom was paid.
At the time of reporting, BleepingComputer was unable to independently verify the authenticity or contents of the alleged data, and Nike has not confirmed the group’s claims.
Inside the World Leaks Ransomware Rebrand
World Leaks is believed to be a rebrand of the Hunters International ransomware group, which emerged in late 2023 and later pivoted away from traditional file encryption attacks.
In January 2025, the group reportedly transitioned to data theft and extortion-only operations, citing increased law enforcement pressure and declining profitability of ransomware encryption campaigns.
Hunters International itself had been flagged by researchers as a possible successor to the Hive ransomware operation due to similarities in code and tactics.
Prior to rebranding, the group claimed responsibility for hundreds of attacks worldwide.
Known victims in the past have included the U.S. Marshals Service, Tata Technologies, Japanese optics manufacturer Hoya, AutoCanada, and U.S. Navy contractor Austal USA.
Under the extortion-only model, attackers focus on quietly exfiltrating data rather than disrupting operations. Victims are then pressured to pay to prevent public disclosure.
This approach reduces operational noise while maximizing leverage — particularly when stolen data includes sensitive operational, R&D, or supply chain information rather than just customer records.
World Leaks has also been linked to other high-profile activities.
In July 2025, affiliates were associated with the breach of a Dell product demonstration platform and the exploitation of end-of-life SonicWall SMA 100 devices, where attackers reportedly deployed a custom OVERSTEP rootkit to maintain persistent access.
How Organizations Can Reduce Data Extortion Risk
As extortion-focused attacks continue to target sensitive corporate data rather than system availability, organizations need defenses that go beyond traditional ransomware playbooks.
These attacks are often quiet, fast-moving, and designed to maximize leverage through data theft rather than disruption.
Reducing risk requires a layered approach that combines visibility, identity controls, and data protection with tested response processes.
- Monitor for unusual outbound data transfers, especially from systems containing intellectual property, R&D, and operational data.
- Improve asset visibility, apply least-privilege access controls, and segment sensitive environments to limit lateral movement.
- Implement outbound data loss prevention (DLP) to detect and block large or abnormal data exfiltration attempts.
- Harden identity security by enforcing phishing-resistant MFA and monitoring for anomalous credential use.
- Review and restrict third-party and supply chain access, particularly for manufacturing and logistics partners.
- Integrate extortion-only scenarios into security operations and regularly test incident response plans focused on data exposure.
- Strengthen data governance through classification and retention controls to reduce the impact of stolen corporate data.
These measures help organizations limit exposure and respond to data extortion threats.
The Shift to Data-Centric Extortion
Whether or not the alleged Nike breach is ultimately confirmed, the incident reflects a broader shift in cybercrime toward quiet, data-centric extortion that targets intellectual property and supply chains rather than system downtime.
This evolution underscores the need to rethink traditional ransomware defenses and treat data exposure as a primary business risk.
As extortion groups refine tactics that maximize leverage while minimizing disruption, organizations that lack visibility into their data flows and supply chain dependencies will remain vulnerable.
With attackers increasingly targeting interconnected partners and operational data, supply chain security has become an important pillar of modern cyber defense.
