Under Armour, a clothing and fitness data company, is investigating claims of a data breach. This follows a cybercriminal posting millions of customer records to a hacker forum.
The seller of the data told TechCrunch it was taken in a November data breach. At that time, the Everest ransomware gang claimed responsibility for the attack on its dark web leak site.
News of the data theft gained wider attention this week. The breach notification site Have I Been Pwned obtained a copy of the stolen data and emailed 72 million individuals to notify them their information was compromised.
According to Have I Been Pwned, the stolen dataset includes names, email addresses, genders, dates of birth, and customer approximate locations based on postcode or ZIP code. The data also contains information relating to customer purchases.
The seller provided TechCrunch with a sample of the stolen data, which appears to contain millions of records of Under Armour customer purchases. This sample matched the types of data reported by Have I Been Pwned. The stolen data also includes numerous email addresses belonging to Under Armour employees.
When reached for comment, Under Armour spokesperson Matt Dornic stated the company is aware of claims that an unauthorized third party obtained certain data. He added that their investigation, with the assistance of external cybersecurity experts, is ongoing.
The spokesperson emphasized that, at this time, there is no evidence to suggest this issue affected UA.com or systems used to process payments or store customer passwords.
Dornic also stated that the number of affected customers with any sort of information that could be considered sensitive is a very small percentage. The spokesperson did not immediately respond to a follow-up email asking what types of customer information Under Armour considers sensitive, nor did he provide an accurate figure of how many customers are affected.
The spokesperson said any implication that sensitive personal information of tens of millions of customers has been compromised is unfounded.
Under Armour did not say if it plans to notify customers whose information was compromised. It also did not say if it had received any correspondence from the hackers, such as a ransom demand.