Nike Data Breach Class Action Lawsuit What Customers Need to Know
A class action lawsuit filed in March 2026 accuses Nike Inc. of failing to protect customer data after a January 2026 cyberattack exposed names, email addresses, billing addresses, phone numbers, transaction details, and payment card information. Plaintiff Maria Gomez, a California resident, filed the lawsuit in the U.S. District Court for the District of Oregon on behalf of a proposed nationwide class of affected Nike customers. No settlement has been reached. The case is in active litigation.
Quick Facts
| Field | Detail |
| Defendant | Nike Inc. |
| Plaintiff | Maria Gomez (proposed nationwide class) |
| Breach Discovery Date | On or around January 21, 2026 |
| Customer Notification Date | February 25, 2026 |
| Data Allegedly Exposed | Names, email addresses, billing addresses, phone numbers, transaction info, payment card details |
| Laws Alleged Violated | Negligence, breach of implied contract, unjust enrichment, FTC Act, California privacy law |
| Case Number | 6:26-cv-00564-AP |
| Court | U.S. District Court, District of Oregon |
| Settlement Status | None — active litigation |
| Claim Deadline | Not applicable — no settlement yet |
Current Status and What Happens Next
- The lawsuit was filed in Oregon federal court in late March 2026. The case is in its earliest stages — no class has been certified, and no settlement has been proposed.
- Nike has not admitted wrongdoing and maintains that no full payment card details or account credentials were accessed in the incident.
- Consumers who received a breach notification letter from Nike should preserve it. That letter may become important if a settlement is eventually reached and a claim period opens.
What the Nike Data Breach Lawsuit Is About
In January 2026, an extortion group known as WorldLeaks — described by cybersecurity researchers as a successor to the ransomware gang Hunters International — claimed to have stolen approximately 1.4 terabytes of data from Nike’s systems. WorldLeaks operates as a data theft and extortion group that takes files and then pressures victims with the threat of public leaks, rather than using traditional ransomware encryption. The group published samples of the claimed data on a Tor-based leak site.
According to reporting from security outlets, WorldLeaks listed Nike on its leak site on or around January 22, 2026, and published the data on January 24, 2026, before Nike had publicly confirmed the scope of the incident. Nike acknowledged it was investigating a potential cybersecurity incident and began working with law enforcement and outside cybersecurity experts.
The lawsuit filed by Maria Gomez focuses on a separate but related incident. Gomez alleges that Nike discovered unauthorized access involving a third-party service provider on or around January 21, 2026, and that customer information potentially exposed includes names, email addresses, billing addresses, phone numbers, transaction information, and payment card information. Nike stated publicly that no full payment card details or account credentials were accessed, but the lawsuit disputes whether Nike took adequate steps to prevent the intrusion in the first place.
Related article: $59.5M Flo Period Tracker Privacy Lawsuit Settlement, How to Sign Up and Claim Your Money
The complaint alleges Nike breached its duties under common law, contract law, industry standards, and the Federal Trade Commission Act to implement reasonable and adequate data security measures. The lawsuit also raises California privacy claims on behalf of a proposed California subclass.
Who May Be Affected
You may be affected if you are a Nike customer whose personal information was stored in the systems involved in the January 2026 breach.
You may be affected if you received an official written notice from Nike about the January 2026 data security incident — these notifications began going out on or around February 25, 2026.
You may be affected if your information includes any combination of names, email addresses, billing addresses, phone numbers, transaction history, or payment card details stored through Nike’s platform or a third-party service provider Nike used.
You are likely not part of the proposed class if Nike did not store your personal information in connection with a purchase or account, or if Nike did not notify you of any exposure.
One important note on scope: Nike’s statement says no full payment card numbers or account login credentials were accessed. Nike said the incident involved a third-party service provider and resulted in unauthorized access to limited consumer information, and that it immediately worked with law enforcement and leading cybersecurity experts to strengthen protections. The plaintiff disputes whether Nike’s security measures were adequate regardless of what specific data was ultimately accessed.
What the Lawsuit Alleges Nike Did Wrong
The core of the lawsuit is not just that a breach happened — it is that Nike allegedly knew or should have known its systems were vulnerable and failed to act.
The complaint claims Nike waited more than a month after discovering the breach to begin notifying customers. The lawsuit says Nike did not begin informing victims of the data breach until February 25, 2026, more than a month after the company claims to have discovered it, leaving customers unaware and unable to take protective steps during that window.
The lawsuit also argues the delay was particularly harmful because consumers with exposed personal information face ongoing risks from identity theft and fraud. Once personal data circulates among bad actors, affected individuals typically need to monitor credit reports, freeze accounts, and stay alert for fraudulent activity — steps that are more effective when taken quickly.
Gomez claims Nike’s handling of the incident amounts to three separate legal wrongs. Negligence means Nike failed to use reasonable care to protect data it collected and stored. Breach of implied contract means customers had a reasonable expectation that Nike would safeguard the personal information they provided when making purchases. Unjust enrichment means Nike benefited financially from collecting that data while failing to invest adequately in protecting it.
What Customers Should Do Right Now
Even though no settlement exists yet, there are practical steps Nike customers can take today to reduce their risk.
If you received a breach notification letter from Nike, read it carefully and keep it. It documents that your information was part of the incident and will likely be required if a claim period opens in the future.
Review your bank and credit card statements for any unfamiliar charges. Contact your card issuer immediately if you spot transactions you do not recognize.
Consider placing a free credit freeze with all three major credit bureaus — Equifax, Experian, and TransUnion. A freeze prevents new credit accounts from being opened in your name without your explicit authorization. Freezes are free and can be lifted temporarily when you need to apply for credit.
Set up free fraud alerts through the credit bureaus. Unlike a freeze, a fraud alert simply requires lenders to take extra verification steps before extending credit in your name.
Monitor your email address for phishing attempts. Criminals who obtain email addresses from breaches often use them to send fake messages impersonating companies or banks. Do not click links in unexpected emails — navigate directly to the company’s website instead.
For a look at data breach cases that have already resulted in compensation for consumers, see our coverage of open data breach settlements you can claim right now at AllAboutLawyer.com.
Frequently Asked Questions
Do I need a lawyer to participate in this lawsuit?
Not at this stage. The case is in active litigation with no settlement yet. If a settlement is eventually reached and a claims period opens, most data breach settlements allow consumers to file claims directly online at no cost and without hiring an attorney.
Is this lawsuit legitimate?
Yes. Gomez v. Nike Inc., Case No. 6:26-cv-00564-AP, is a real case filed in the U.S. District Court for the District of Oregon. Bloomberg Law, KPTV (FOX 12 Oregon), and other credible outlets have confirmed the filing.
When will I receive a payment?
There is no payment available at this time. A settlement has not been proposed or approved. If one is reached in the future, a claims period will open and we will update this article with deadlines and eligibility details.
What if I missed a claim deadline?
There is no claim deadline because no settlement exists yet. If you received a Nike breach notification letter, preserve it. Future eligibility for any settlement will likely depend on your ability to show your data was affected.
Will any future settlement payment affect my taxes?
Potentially. The IRS generally treats data breach settlement payments as taxable income unless the payment specifically compensates for a physical injury. Consult a tax professional when and if you receive a payment.
How is this different from other Nike privacy lawsuits?
Nike has faced several separate privacy lawsuits in recent years, including cases alleging the company used website tracking technology to collect user data without consent. This January 2026 data breach lawsuit is distinct — it stems from unauthorized external access to Nike’s systems through a third-party service provider, not from Nike’s own tracking practices.
What laws did Nike allegedly violate?
The complaint cites negligence under common law, breach of implied contract, unjust enrichment, and duties established under the Federal Trade Commission Act. It also raises California-specific privacy claims for a proposed California subclass of affected customers.
How long does a data breach class action lawsuit typically take?
Data breach class actions routinely take two to four years from filing to settlement or judgment. The case must first survive a motion to dismiss, then the court must certify the class, and the parties negotiate a settlement — or proceed to trial. This case is in its earliest stage.
Sources and References
- Case Filing: Gomez v. Nike Inc., Case No. 6:26-cv-00564-AP, U.S. District Court for the District of Oregon
Last Updated: April 6, 2026
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Legal claims and outcomes depend on specific facts and applicable law. For advice regarding a particular situation, consult a qualified attorney.
About the Author
Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah