Under Armour has acknowledged that it knows about a potential data breach impacting 72 million of its customers weeks after the information was posted online.
The data breach is alleged to have happened in November, according to internet security website Have I Been Pwned?, which acquired a copy of the stolen information from a hacking forum. The files that are part of the breach were also shared on other website frequented by hackers.
Based on the information in the breach, compromised data includes email addresses, genders, names, dates of birth, zip codes and lists of purchases.
Despite Have I Been Pwned? posting a notice about the data breach weeks ago, Under Armour only confirmed that it was aware and investigating the claim.
“We have no evidence to suggest this issue has affected UA.com or systems used to process payments or store customer passwords. Any implication that sensitive personal information of tens of millions of customers has been compromised is unfounded.”
Meanwhile, a message posted on social media platform X on January 18, detailed the extent of how much customer data was accessed.
According to the post, hackers claimed to access 343 gigabytes of data, that included 72 million email addresses, over 191 million total records, loyalty program identifiers, employee contact information, browsing behavior, ratings and preferences.
When news of the breach was made public in November, Everest, an online ransomware group, released a sample of the stolen data on its website as proof that it was responsible and allegedly gave Under Armour seven days to respond. The group has been linked to similar incidents that have impacted AT&T and Coca-Cola and other companies.
But by early December, several Under Armour customers reported on Reddit that had received alerts from credit monitoring services that their data had been compromised and the information was being used on the dark web.
Until its statement on Thursday, Under Armour had not made any public comments about the incident on its website, social media or on its investor portal.
On December 12, one customer, Orvin Ganesh, filed a class action lawsuit in the U.S. District Court for the District of Maryland and the complaint stated that Under Armour had “numerous statutory, regulatory, contractual, and common law duties and obligations” to protect its consumer data.
Ganesh’s filing also notes that Under Armour should have been even more “particularly aware of the threat cybercriminals pose” since the company’s MyFitnessPal platform, which it owned from 2015 to 2020, was impacted by a data breach in 2018 that affected 150 million accounts.
With days after learning of that breach, Under Armour sent emails and in-app messages to MyFitnessPal users and urged them to change their passwords.
