Nike Inc. is facing a proposed class action lawsuit in federal court in Oregon, adding to the growing wave of data privacy litigation confronting fashion and retail companies. In the complaint, Plaintiff Maria Gomez points to a January 2026 cybersecurity incident involving Nike that allegedly exposed a broad swath of consumer personally identifiable information, including names, email addresses, billing details, phone numbers, transaction histories, and payment card data.
At the heart of the case, which was filed in the U.S. District Court for the District of Oregon on March 24, is Gomez’s claim that Nike failed to implement reasonable cybersecurity safeguards. As a result, cybercriminals were able to infiltrate what Gomez describes as an “inadequately protected network,” gaining access to sensitive customer data stored within the company’s systems.
Gomez seeks to represent a nationwide class of affected individuals, asserting that the breach was not only preventable but also mishandled in its aftermath. The complaint alleges that Nike discovered the incident on or around January 21, 2026, yet did not begin notifying impacted consumers until February 25 – more than a month later. That delay, the filing claims, deprived consumers of the opportunity to take timely protective measures against identity theft and fraud.
The lawsuit further points to reports that a ransomware group published approximately 1.4 terabytes of Nike data online, amplifying concerns about the scope and potential fallout of the breach. Gomez maintains that affected individuals were “wholly unaware” of the incident until they received notification letters from the company, by which point the exposure had already occurred.
With the foregoing in mind, Gomez lodges negligence, breach of implied contract, and unjust enrichment claims against Nike, with the implied contract argument hinging on the theory that consumers who provide personal data to a retailer do so with the expectation that the company will take adequate steps to protect that information. The plaintiff also raises California-specific privacy claims on behalf of a proposed subclass, and is seeking declaratory and injunctive relief, along with compensatory and punitive damages.
While Nike has not commented on the complaint, it said in connection with the breach: “Nike previously identified an incident involving a third-party service provider that resulted in unauthorized access to limited consumer information. No full payment card details or account credentials were accessed. Nike immediately worked with law enforcement and leading cybersecurity experts, took steps to strengthen protections, and provided notifications and support as appropriate to impacted individuals.”
THE BIGGER PICTURE: The case sheds light on the mounting legal and reputational risks for fashion and retail companies operating in an era of heightened data sensitivity. As brands continue to expand their digital ecosystems and the volume of consumer data they collect, consumers are waging litigation that centers, in part, on what “reasonable” data security looks like.
The case is Gomez v. Nike, Inc., 6:26-cv-00564 (D. Or.)
Share
