Nike probes after extortion group claims 1.4TB of internal files leaked

Nike is investigating a potential cybersecurity incident after a self-styled extortion group, WorldLeaks, claimed it had published about 1.4 terabytes of company files, a cache researchers say amounts to roughly 188,347 documents, on a darknet leak site, and Spain’s national cybersecurity agency flagged the matter in an advisory on Feb. 19.

The material reported by security analysts and aggregated in agency bulletins is said to emphasize product development and operational files rather than customer databases. Samples and listings reviewed by researchers and reported by threat intelligence groups include design schematics, technical packs, bills of materials, prototypes, R&D documentation, factory audits, manufacturing partner details and employee training materials dated 2020 to 2026. One report identified directory names such as "Women's Sportswear" and "Men's Sportswear" and singled out design schematics and tech packs for the Jordan Brand SP27 collection.

“We always take consumer privacy and data security very seriously,” a Nike spokesperson told reporters. “We are investigating a potential cyber security incident and are actively assessing the situation.” Reuters later reported that Nike declined to comment on the specifics of its investigation or on whether any ransom was paid.

Security outlets that have tracked the leak emphasized that the authenticity of the published cache has not been independently verified and that the files were not immediately accessible for outside review. Attempts to establish direct contact with those behind WorldLeaks were unsuccessful, and researchers cautioned against treating the extortion group’s claims as confirmed until forensic analysis and company disclosures are completed. As one cybersecurity commentator noted, “Unlike typical ransomware attacks that target customer databases, this breach appears focused on Nike's core intellectual property and operational infrastructure.”

The alleged breach raises immediate commercial and community concerns beyond prototypes and design drawings. If factory audits and partner records are genuine, suppliers and manufacturing workers could face operational disruptions, contract uncertainty and reputational fallout that affect wages, hours and access to employer-provided benefits, including health coverage. Retail and wholesale partners could also confront disclosure and mitigation obligations if their information is implicated, creating downstream costs and potential service interruptions for thousands of factory employees and logistics workers in supplier communities.

Market reaction was muted. Early trading showed shares largely flat following the reporting, a sign investors were waiting for confirmation and corporate detail. Broader industry data cited by coverage of the incident note that reported ransomware incidents and payments fell between 2023 and 2024, but experts say that attacks focused on intellectual property and supply chains remain disruptive in ways that are harder to quantify than direct ransom payments.

Key questions remain unanswered: independent verification of the files, whether any customer or partner personal data are included, the access vectors used by the intruders and whether Nike engaged law enforcement or paid a ransom. Spain’s INCIBE advisory summarized publicly available reporting and notified stakeholders to monitor the developing investigation; the full agency bulletin has not been published in the consolidated reporting.

As investigators and corporate security teams continue their assessments, the episode highlights persistent vulnerabilities in complex global supply chains and the social equity implications of cyber intrusions that can ripple from corporate design rooms to factory floors and worker communities. Journalists and regulators will press Nike and security researchers for forensic proof and for clear disclosures about who and what may be affected.