Under Armour says it's 'aware' of data breach claims after 72M customer records were posted online - TechCrunch

Clothing and fitness data company Under Armour said it is investigating claims of a data breach after a cybercriminal posted millions of customer records to a hacker forum. The seller told TechCrunch that the data was taken in a November data breach, which the Everest ransomware gang claimed responsibility for in a post on its dark web leak site at the time.  News of the data theft became more widely known this week after breach notification site Have I Been Pwned obtained a copy of the stolen data, and notified 72 million individuals by email that their information had been compromised. Have I Been Pwned said the stolen Under Armour dataset included names, email addresses, genders, dates of birth, and customers’ approximate location based on postcode or ZIP code. The data also included information relating to purchases. The seller provided TechCrunch with a sample of the stolen data, which appears to contain millions of records of Under Armour customer purchases and matched the types of data that Have I Been Pwned had reported. The stolen data contains reams of email addresses belonging to Under Armour employees. When reached for comment, Under Armour spokesperson Matt Dornic told TechCrunch that the company is “aware of claims that an unauthorized third party obtained certain data.” “Our investigation of this issue, with the assistance of external cybersecurity experts, is ongoing. Importantly, at this time, there’s no evidence to suggest this issue affected UA.com or systems used to process payments or store customer passwords,” the spokesperson added. “What we know at this time is the number of affected customers with any sort of information that could be considered sensitive is a very small percentage,” said Dornic.  The spokesperson did not immediately respond to a follow-up email asking what types of customers’ information Under Armour considers “sensitive” information, nor did he provide an accurate figure of how many customers are affected by the breach. “Any implication that sensitive personal information of tens of millions of customers has been compromised is unfounded,” the spokesperson said. Under Armour did not say if it planned to notify customers whose information was compromised. It did not say if it had received any correspondence from the hackers, such as a demand for ransom. Topics cyberattack, cybersecurity, data breach, Security, Under Armour Zack Whittaker Security Editor Zack Whittaker is the security editor at TechCrunch. He also authors the weekly cybersecurity newsletter, this week in security. He can be reached via encrypted message at zackwhittaker.1337 on Signal. You can also contact him by email, or to verify outreach, at zack.whittaker@techcrunch.com. View Bio April 30 San Francisco, CA StrictlyVC kicks off the year in SF. Get in the room for unfiltered fireside chats with industry leaders, insider VC insights, and high-value connections that actually move the needle. Tickets are limited. REGISTER NOW Most Popular Palantir posts mini-manifesto denouncing inclusivity and ‘regressive’ cultures ‘Tokenmaxxing’ is making developers less productive than they think Anthropic launches Claude Design, a new product for creating quick visuals Physical Intelligence, a hot robotics startup, says its new robot brain can figure out tasks it was never taught Anthropic CPO leaves Figma’s board after reports he will offer a competing product After sale of its shoe business, Allbirds pivots to AI An Amazon warehouse worker died on the job at Oregon facility