A US Breach
Keen to point out this excludes them from a GDPR mauling
Adidas warned late on Thursday that hackers may have lifted customer data from its US website. The sportswear maker said personal data, including contact information (addresses and email addresses), and encrypted passwords may have fallen into the hands of criminals, but was able to reassure customers that neither financial …
Er, no it doesn't. Not if there are EU residents' PII in those databases. (Note: _residents_, not citizens. An American citizen with a US passport working in the UK is covered by GDPR. IANAL, if you get your advice from commentards you deserve anything you get, but that's my understanding anyway... )
"Why did they store email addresses/passwords in one place and useful info like credit cards in (presumably) another database? Haven't they heard of normalisation?"
Normalization is database design paradigm. Also, they may have normalized the database and split the data into separate tables for security purposes. Normalization does not mean all the data that is common to an entity must be in the same table; it just means that data is not duplicated between tables. So splitting the data up for an entity between different tables may be done for a variety of reasons including security.
One reason to do denormalization is speed. If many/most of my reports do not require the credit card fields, you don't' drag them into memory. The security aspect is also there, especially if you have those fields encrypted to begin with and you should damned well have them encrypted even to the dBA's and dBE's.
This will lead to massive spam from companies who buy this stolen data in addition to possible new fraudulent credit card accts. being opened and many more headaches. Companies who are negligent in protecting customer data should be held accountable both financially and criminally. You can bet if CEOs get sent to prison for 5+ years for their negligence, security will be taken much more seriously.