Another day, another data breach. This time with MyFitnessPal, a nutrition tracking app that was acquired for US$475million by Under Armour Inc.
Facts (may change) As result of a cybersecurity breach, close to 150 million accounts (yes, it's a massive data breach) have been compromised. Attribution of the malicious actors behind this incident is unknown.
At best, Under Armour has been sloppy and lazy in responding to this breach. I talk about the following in my opinion piece.
The compromised data consisted of
The company issued a FAQ page, both at the bottom of the page.
The response from Under Armour is, at best, poor and half baked (couldn’t think of any fitness
There is simply no excuse for the way Under Armour appear to have protected customer information and in their lackadaisical response.
In my opinion, every organisation must have their executives trained in and made aware of the basics of Cyber Incident Planning and Response; the knowledge and understanding of threats, threat actors, their modus-operandi and the act of being prepared to detect and respond to in a consistent, repeatable and efficient manner.
Download and use the Cyber Incident Planning & Response Mind Map and our Incident Planning & Response Action Checklist to start making your business more cyber resilient.
Many privacy practitioners (including myself) and journalists cannot wait for the GDPR to be officially enforced. Consider this statement from the Under Armour PR statement:
Four days after learning of the issue, the company began notifying the MyFitnessPal community via email and through in-app messaging. The notice contains recommendations for MyFitnessPal users regarding account security steps they can take to help protect their information. The company will be requiring MyFitnessPal users to change their passwords and is urging users to do so immediately.
Four days after becoming aware! Without reprinting or reading the whole GDPR recitals out loud, even my dog, a cute little miniature Yorkshire Terrier, could tell you that when it comes to breach notification, under GDPR, you have 72 hours within which to notify the authorities. It took four days for MyFitnessPal to let customers know!
Neither do I see any specific timelines about when they got in touch with regulatory authorities. I wonder when the ICO in the UK knew about this?
From the PR statement and the FAQ page it appears that MyFitnessPal have not reset the passwords of all affected users. Rather, they are requiring a password change on login. So, thinking out loud here, the criminals could reset all the passwords themselves?
“The MyFitnessPal account information that was not protected using bcrypt was protected with SHA-1, a 160-bit hashing function.”
Some of the statements, like the one about 160-bit hashing function and thinking “Surely, most regular customer who may be reading this (and it’s a separate discussion whether or not the average Joe or Jane would read this) would even understand the basics of bcrypt or SHA-1. My opinion, not really.
Do this Now: Instead of waiting on Under Armour, do the follow immediately:
Start Your Response Planning Now!
In addition, if you are running a business, of any size, consider getting allthe middle to senior management trained on how to plan and prepare for a cyber attack. All layers of management must have basic security awareness and the knowledge required to make their organisations more cyber resilient.
To begin planning your incident you can download our Cyber Incident Planning & Response mind map here. We also created a Action Checklist to help you on your journey. You can download the checklist here.
More Information and Useful Links