A California shopper is taking Nike to federal court, accusing the sportswear giant of dropping the ball on data security after a January incident that allegedly exposed customer payment card details and other personal information. The proposed class-action lawsuit seeks money damages plus years of credit or identity monitoring for everyone the complaint says was caught up in the incident.
How The Case Landed In Federal Court
As reported by Bloomberg Law, lead plaintiff Maria Gomez filed the suit in the U.S. District Court for the District of Oregon, where Nike is headquartered. The complaint asks a judge to sign off on a nationwide class of affected customers.
The filing says Nike discovered that someone had gained unauthorized access to a third-party portal around Jan. 21, 2026, but did not notify customers until roughly a month later. That lag in disclosure is one of the central issues Gomez wants the court to scrutinize.
What The Lawsuit Says Nike Got Wrong
According to The Oregonian/OregonLive, the complaint alleges that names, email addresses, billing addresses, phone numbers and payment card information were exposed in the incident. The suit also claims Nike failed to encrypt sensitive data that should have been locked down.
The plaintiffs are asking for at least $5 million in damages. They also want the court to require Nike to provide long-term credit monitoring and other identity theft protections for everyone who falls within the proposed class.
The Breach Timeline And The WorldLeaks Angle
In late January, a leak site tied to the WorldLeaks extortion group posted a cache of Nike files, and the company acknowledged to Reuters that it was "investigating a potential cyber security incident." Security reporting has indicated that those posted files appeared to focus mostly on internal product and manufacturing data.
It is still not clear whether the material touted on the WorldLeaks site and the customer data at the center of Gomez’s lawsuit came from the same security lapse. As IT Pro notes, investigators and reporters have yet to definitively connect those dots.
What Is Legally On The Line
The complaint raises a mix of statutory and common law claims, including alleged violations of the Federal Trade Commission Act based on an asserted failure to maintain reasonable data security, along with breach of contract and negligence theories. If the court lets the case move forward as a class action, the litigation could test how far retailers must go to protect payment information and how quickly they are expected to alert customers when something goes wrong, according to Bloomberg Law.
What Nike Shoppers Can Do Right Now
For now, anyone who has shopped with Nike is being urged to keep a close eye on their accounts. That means reviewing bank and card statements for unfamiliar charges, changing passwords on Nike accounts especially if those passwords are reused elsewhere, and watching for official notices from Nike or card issuers.
The Federal Trade Commission’s IdentityTheft.gov lays out practical steps tailored to different types of data exposure, including how to place fraud alerts, when to consider a credit freeze, and how to report suspected identity theft.
Nike declined to comment on the lawsuit when contacted by The Oregonian. Back in January, the company told Reuters it was actively assessing the situation.
The case is still in its early innings. Plaintiffs are asking the federal court to certify a class and let the litigation proceed while judges, lawyers and investigators work to pin down exactly what was accessed, how it happened and who is ultimately on the hook.
