Under Armour Data Breach, GDPR and Ineffective Breach Notification
Date: 31 March 2018
Another day, another data breach. This time with MyFitnessPal, a nutrition tracking app that was acquired for US$475million by Under Armour Inc.
Facts (may change) As result of a cybersecurity breach, close to 150 million accounts (yes, it's a massive data breach) have been compromised. Attribution of the malicious actors behind this incident is unknown.
At best, Under Armour has been sloppy and lazy in responding to this breach. I talk about the following in my opinion piece.
- Under Armour's Ineffective Planning
- How this skirts around GDPR's various laws
- How their protection approach has been sloppy
- Under Armour executives need Cyber Incident Planning & Response Training.
- Useful links & more information
Was Personal Information was Breached?
The compromised data consisted of
- users email addresses,
- usernames and
- hashed passwords, (hashed with the bcrypt hashing function to obscure them)
The company issued a FAQ page, both at the bottom of the page.
Ineffective Cyber Incident Response Planning
The response from Under Armour is, at best, poor and half baked (couldn’t think of any fitness related puns here) In this context there are only two truths, namely:
- Data Breaches:, data breaches are a matter of when not if,
- Regulations: GDPR being the most prominent for now and related breach notification stipulations,
There is simply no excuse for the way Under Armour appear to have protected customer information and in their lackadaisical response.
In my opinion, every organisation must have their executives trained in and made aware of the basics of Cyber Incident Planning and Response; the knowledge and understanding of threats, threat actors, their modus-operandi and the act of being prepared to detect and respond to in a consistent, repeatable and efficient manner.
Download and use the Cyber Incident Planning & Response Mind Map and our Incident Planning & Response Action Checklist to start making your business more cyber resilient.
GDPR and Under Armour: Check this Out!
Many privacy practitioners (including myself) and journalists cannot wait for the GDPR to be officially enforced. Consider this statement from the Under Armour PR statement:
Four days after learning of the issue, the company began notifying the MyFitnessPal community via email and through in-app messaging. The notice contains recommendations for MyFitnessPal users regarding account security steps they can take to help protect their information. The company will be requiring MyFitnessPal users to change their passwords and is urging users to do so immediately.
Four days after becoming aware! Without reprinting or reading the whole GDPR recitals out loud, even my dog, a cute little miniature Yorkshire Terrier, could tell you that when it comes to breach notification, under GDPR, you have 72 hours within which to notify the authorities. It took four days for MyFitnessPal to let customers know!
Neither do I see any specific timelines about when they got in touch with regulatory authorities. I wonder when the ICO in the UK knew about this?
To Reset the Password Or Not?
From the PR statement and the FAQ page it appears that MyFitnessPal have not reset the passwords of all affected users. Rather, they are requiring a password change on login. So, thinking out loud here, the criminals could reset all the passwords themselves?
Ignorance or Laziness? You make up your mind.
In the FAQ page Under Armour states that some passwords were better protected than the others! If not that serious it would be funny actually. You used good security on some passwords but could not be bothered to ensure conformity and consistency?
“The MyFitnessPal account information that was not protected using bcrypt was protected with SHA-1, a 160-bit hashing function.”
Are Under Armour Customers Mostly Geeks?
Some of the statements, like the one about 160-bit hashing function and thinking “Surely, most regular customer who may be reading this (and it’s a separate discussion whether or not the average Joe or Jane would read this) would even understand the basics of bcrypt or SHA-1. My opinion, not really.
Do this Now: Instead of waiting on Under Armour, do the follow immediately:
- Change your password on the website
- Start using a password manager (we use 1Password, you can use others)
- If you were / are using the same password for Under Armour elsewhere, change the passwords on those sites.
Start Your Response Planning Now!
In addition, if you are running a business, of any size, consider getting allthe middle to senior management trained on how to plan and prepare for a cyber attack. All layers of management must have basic security awareness and the knowledge required to make their organisations more cyber resilient.
Remember, a cyber attack could easily lead to a data breach, that could put you at odds with the GDPR on several fronts.
To begin planning your incident you can download our Cyber Incident Planning & Response mind map here. We also created a Action Checklist to help you on your journey. You can download the checklist here.
More Information and Useful Links
- IBM's X-Force details on this exploit - Not much information, but refers to an Android vulnerability in 2014.
- Our own GCHQ Certified Cyber Incident Planning & Response workshop's page.
- Under FAQ page.