Under Armour Suffers Massive Data Breach: 72.7 Million Customer Records Exposed in Everest Ransomware Attack

Breached Company

Breached Company

13 min read
Under Armour Suffers Massive Data Breach: 72.7 Million Customer Records Exposed in Everest Ransomware Attack

Athletic apparel giant Under Armour has become the latest victim in a troubling wave of ransomware attacks targeting major consumer brands. According to data breach notification service Have I Been Pwned (HIBP), 72.7 million customer accounts were compromised in a November 2025 ransomware attack orchestrated by the veteran Everest cybercrime group. The stolen data, which includes names, email addresses, dates of birth, purchase histories, and geographic locations, was publicly leaked on a cybercrime forum on January 18, 2026.

Nike Confirms Investigation Into Massive 1.4TB Data Breach
WorldLeaks Ransomware Group Claims Theft of Jordan Brand Designs, Supply Chain Data, and Six Years of Internal Documents Nike, Inc. has confirmed it is actively investigating a potential cybersecurity incident after the WorldLeaks ransomware group claimed to have exfiltrated 1.4 terabytes of sensitive internal data from the sportswear giant.
Breached CompanyBreached Company

Executive Summary

The Under Armour breach represents one of the largest consumer data exposures of early 2026 and highlights the escalating threat facing retail and e-commerce companies. What makes this incident particularly concerning is not just its scale, but the sophistication of the Everest ransomware group—a veteran operation that has been actively targeting high-profile organizations since 2020 while maintaining a relatively low public profile compared to more notorious groups like LockBit or BlackCat.

The breach comes amid a broader pattern of attacks on major sportswear and athletic brands. Nike is currently investigating a separate breach allegedly perpetrated by the WorldLeaks ransomware group, suggesting that the athletic apparel sector has become a prime target for cybercriminals seeking high-value consumer data.

Timeline of the Breach

November 2025: Initial Compromise

Everest ransomware group gains unauthorized access to Under Armour's systems and exfiltrates customer data. The company has not publicly disclosed how attackers initially gained access, though common vectors include:

  • Phishing campaigns targeting employees
  • Exploitation of unpatched vulnerabilities
  • Compromise of third-party vendors with system access
  • Stolen or weak credentials

November 2025: Ransom Demand

Everest adds Under Armour to its dark web leak site, threatening to release stolen data unless the company pays an undisclosed ransom within seven days. Under Armour apparently declines to pay.

January 18, 2026: Public Data Leak

A member of the Everest ransomware group posts the stolen Under Armour data on a popular cybercrime forum, making it available to other threat actors for exploitation.

January 21, 2026: Have I Been Pwned Notification

HIBP ingests the leaked files and confirms 72.7 million affected accounts. The service begins notifying affected individuals by email.

January 21-22, 2026: Class Action Lawsuit

Law firm Chimicles Schwartz Kriner & Donaldson-Smith files a proposed class action lawsuit on behalf of Under Armour customer Orvin Ganesh, alleging negligence and inadequate data protection.

January 22, 2026: Under Armour Acknowledges Incident

Under Armour issues a brief statement saying it is "aware" of the data breach claims but provides few details about the scope or impact of the incident.

What Data Was Compromised

According to HIBP's analysis of the leaked data, the breach exposed:

Confirmed Data Elements

  • Names (full names of account holders)
  • Email addresses (72.7 million unique addresses)
  • Dates of birth (enabling age verification and identity theft)
  • Gender information
  • Geographic locations (cities, states, countries)
  • Purchase histories (details of prior transactions)

Additional Claims by Everest

The ransomware group claims the stolen data also includes:

  • Phone numbers (both mobile and landline)
  • Physical addresses (shipping and billing)
  • Loyalty program details (UA Rewards membership information)
  • Preferred store locations

If accurate, these additional data elements significantly increase the risk to affected customers, as they enable:

  • Identity theft — Full profiles for creating fraudulent accounts or applying for credit
  • Targeted phishing — Personalized attacks using purchase preferences and loyalty data
  • Physical threats — Home addresses enable in-person crimes or mail fraud
  • Financial fraud — Combination of personal data enables sophisticated account takeovers

Who Is Everest?

Unlike some ransomware groups that explode onto the scene with high-profile attacks before being dismantled or imploding, Everest has maintained a steady, relatively low-profile operation since 2020—an eternity in the ransomware world.

Operational Longevity

Everest's six-year operational history far exceeds the typical lifespan of ransomware groups, which tend to last 12-18 months before:

  • Law enforcement takedowns (like LockBit's infrastructure disruption)
  • Internal conflicts and group dissolution
  • Rebranding to avoid law enforcement attention
  • Member arrests leading to operational collapse

This longevity suggests Everest has developed sophisticated operational security, diversified revenue streams, and effective internal governance structures.

Three Revenue Streams

According to cybersecurity firm Halcyon, Everest operates a diversified criminal business model with three distinct revenue channels:

1. Double Extortion Ransomware

The traditional ransomware playbook:

  • Encrypt victim systems to disrupt operations
  • Exfiltrate sensitive data before encryption
  • Demand ransom for both decryption key and promise not to leak data
  • If unpaid, leak data on dark web sites and forums

2. Network Access Brokerage

Everest sells access to compromised networks to other threat actors:

  • Initial access to corporate networks
  • Elevated credential sets
  • VPN configurations and access methods
  • Information about security controls and valuable data locations

This approach generates revenue even from targets that might not be suitable for direct ransomware attacks.

3. Insider Recruitment Program

Perhaps most concerning, Everest actively recruits insiders within target organizations:

  • Offers payments to employees who provide credentials or disable security controls
  • Targeted recruitment of IT staff, security personnel, and system administrators
  • Use of social engineering to identify and cultivate potential insider threats

This insider program gives Everest a significant advantage over groups relying solely on external exploitation techniques.

Previous High-Profile Targets

Everest's portfolio includes several significant breaches:

Collins Aerospace — Compromised a major aerospace and defense contractor, exfiltrating sensitive technical data

Sweden's Power Grid — Targeted critical infrastructure, demonstrating willingness to attack essential services

Brazilian Government — Attacked government systems, exposing political and administrative data

ASUS (via supplier) — Compromised the technology manufacturer through a supply chain attack, affecting internal files and potentially customer data

Dublin Airport — October 2025 attack reportedly compromised 1.5 million passenger records

Nissan Motor Corporation — January 2026 attack allegedly stole 900GB of data

McDonald's India — January 2026 attack exfiltrated 861GB of sensitive data

Under Armour — November 2025 attack exposed 72.7 million customer accounts

This diverse target list—spanning aerospace, critical infrastructure, government, technology, aviation, automotive, food service, and retail—demonstrates Everest's opportunistic approach and broad capabilities.

Why Everest Stays Under the Radar

Despite its impressive track record and six-year operational history, Everest rarely appears in rankings of most dangerous or prolific ransomware groups. This strategic obscurity offers several advantages:

Less Law Enforcement Attention

Groups like LockBit and BlackCat draw significant FBI, EUROPOL, and international law enforcement focus due to their high-profile attacks and large ransom demands. Everest's lower profile means fewer resources dedicated to tracking and dismantling the operation.

Diversified Revenue Reduces Single-Attack Pressure

By generating income from access brokerage and insider recruitment in addition to ransomware, Everest doesn't need massive headline-grabbing ransoms to remain profitable.

Operational Security Through Obscurity

Maintaining a lower public profile makes it harder for security researchers to:

  • Track the group's tools, techniques, and procedures (TTPs)
  • Identify infrastructure for potential takedowns
  • Attribute specific attacks to Everest
  • Anticipate future targets

The Sportswear Industry Under Siege

The Under Armour breach must be understood within the context of a broader campaign targeting athletic apparel companies:

Nike — January 2026

The WorldLeaks ransomware group claims to have stolen 1.4TB of data from Nike, including:

  • Jordan Brand design files
  • Supply chain documentation
  • Internal business documents
  • Potentially customer data

Nike issued a statement saying it is "investigating a potential cyber security incident."

Pattern of Targeting

Why are athletic apparel companies attractive targets?

1. Valuable Customer Data
Sportswear companies maintain detailed customer profiles including:

  • Size and fit preferences
  • Purchase histories revealing income levels
  • Loyalty program participation
  • Email and phone contact information
  • Payment card data

2. Intellectual Property
Design files, manufacturing processes, and supply chain relationships represent enormous value to competitors and nation-state actors engaged in industrial espionage.

3. Global Supply Chains
Complex, multi-party supply chains create numerous potential entry points for attackers. A compromised vendor or logistics partner can provide access to the primary target.

4. Direct-to-Consumer Operations
E-commerce platforms and mobile apps create large attack surfaces with numerous potential vulnerabilities.

5. Brand Sensitivity
Athletic apparel companies invest heavily in brand image. The threat of leaked customer data and associated reputational damage creates pressure to pay ransoms.

Impact on Affected Customers

The 72.7 million individuals whose data was exposed face several risks:

Immediate Threats

Identity Theft
The combination of names, dates of birth, email addresses, and geographic locations provides sufficient information for many forms of identity fraud, including:

  • Opening fraudulent credit accounts
  • Filing false tax returns
  • Obtaining government benefits
  • Creating fake identification documents

Targeted Phishing and Social Engineering
Attackers can craft highly personalized phishing emails using:

  • Purchase histories to reference specific products
  • Loyalty program details to impersonate Under Armour
  • Personal information to increase apparent legitimacy

Account Takeovers
Email addresses and associated personal information enable:

  • Password reset attacks on various platforms
  • Credential stuffing if customers reused passwords
  • SIM swapping attacks to compromise two-factor authentication

Spam and Marketing Abuse
Email addresses will inevitably appear on spam lists, leading to:

  • Increase in unsolicited commercial email
  • Scam offers exploiting brand association
  • Potential malware delivery via email

Long-Term Risks

Persistent Fraud Risk
Unlike a compromised credit card that can be cancelled and replaced, personal information cannot be changed. The exposed data enables fraud attempts for years or even decades.

Data Aggregation
Cybercriminals combine data from multiple breaches to build comprehensive profiles. Today's Under Armour data combines with yesterday's healthcare breach and tomorrow's bank compromise to create detailed dossiers enabling sophisticated fraud.

Unknown Future Uses
It's impossible to predict how adversaries will leverage this data in the future. Information that seems innocuous today might become valuable for unforeseen attack techniques or fraud schemes.

Class Action Lawsuit

The proposed class action filed on behalf of customer Orvin Ganesh will likely allege:

Negligence
Failure to implement reasonable security measures to protect customer data

Breach of Contract
Violation of privacy policies and terms of service promising data protection

Unjust Enrichment
Under Armour profited from collecting customer data while failing to adequately protect it

Violation of State Consumer Protection Laws
Failure to comply with various state data security and breach notification requirements

Previous retail data breach settlements provide a sense of potential liability:

  • Target (2013): $18.5 million settlement with 47 states
  • Home Depot (2014): $17.5 million settlement with 46 states
  • Equifax (2017): $425 million settlement fund (though many received minimal payments)

Regulatory Investigations

Under Armour faces potential investigations and penalties from:

State Attorneys General
Each state where customers were affected can investigate and potentially fine the company for:

  • Inadequate security practices
  • Delayed breach notification
  • Violations of state consumer protection laws

Federal Trade Commission
The FTC can investigate whether Under Armour:

  • Engaged in deceptive practices regarding data security
  • Failed to implement reasonable security measures
  • Violated prior consent decrees (if applicable)

International Regulators
If European, Canadian, Australian, or other international customers were affected, Under Armour may face:

  • GDPR violations (up to 4% of global revenue)
  • Canada's PIPEDA enforcement
  • Australia's Privacy Act penalties
  • Various other international data protection laws

What Went Wrong?

While Under Armour has not disclosed details about the breach, common factors in similar incidents include:

Inadequate Network Segmentation

Failure to isolate customer databases from other network segments allowed attackers who gained initial access to move laterally and reach sensitive data.

Insufficient Monitoring and Detection

The November breach wasn't publicly disclosed until January, suggesting:

  • Inadequate security information and event management (SIEM)
  • Lack of user and entity behavior analytics (UEBA)
  • Insufficient log analysis and anomaly detection
  • Delayed or absent intrusion detection systems (IDS)

Weak Access Controls

If attackers could access 72.7 million customer records, questions arise about:

  • Why wasn't access more tightly restricted?
  • Were privileged accounts properly secured?
  • Was multi-factor authentication required for database access?
  • Were there alerts for bulk data exports?

Supply Chain Vulnerabilities

Many recent breaches occur through third-party vendors. Did Under Armour:

  • Adequately vet vendor security practices?
  • Monitor vendor access to customer data?
  • Implement contractual security requirements?
  • Conduct regular security assessments of key vendors?

Patch Management Failures

Unpatched vulnerabilities remain a primary attack vector. Did Under Armour:

  • Maintain a current inventory of all systems and software?
  • Implement a risk-based patch management process?
  • Monitor for newly disclosed vulnerabilities in deployed software?
  • Test and deploy critical patches within acceptable timeframes?

What Should Affected Customers Do?

If you're among the 72.7 million affected individuals:

Immediate Actions

1. Verify You're Affected
Check Have I Been Pwned (haveibeenpwned.com) using the email address associated with your Under Armour account.

2. Change Passwords
Reset your Under Armour password and any other accounts where you used the same or similar passwords.

3. Enable Two-Factor Authentication
Activate 2FA on your Under Armour account and all important accounts (email, financial, healthcare, etc.).

4. Monitor Financial Accounts
Watch for unauthorized transactions on credit cards and bank accounts. Set up fraud alerts.

5. Check Credit Reports
Review your credit reports from all three bureaus (Equifax, Experian, TransUnion) for unauthorized accounts or inquiries. You're entitled to free weekly reports at AnnualCreditReport.com.

6. Consider Credit Freeze
A security freeze prevents new accounts from being opened in your name. Contact each credit bureau to implement.

Ongoing Vigilance

Be Alert for Phishing
Expect personalized phishing emails referencing your Under Armour purchase history or loyalty program. Verify legitimacy before clicking links or providing information.

Monitor for Identity Theft
Watch for signs like:

  • Tax returns rejected because one was already filed
  • Unexpected credit denials
  • Bills or collection notices for unknown accounts
  • IRS letters about unreported income

Document Everything
Keep records of:

  • Breach notifications received
  • Time spent responding to the breach
  • Money spent on protective measures
  • Any fraud or identity theft you experience

This documentation will be valuable if you participate in class action litigation or file individual claims.

Stay Informed
Monitor Under Armour's communications for:

  • Identity protection services they may offer
  • Additional breach details as they emerge
  • Settlement information if class action proceeds

What Should Under Armour Do?

Immediate Response

1. Transparent Communication
Provide clear, detailed information about:

  • What happened and how attackers gained access
  • Exactly what data was compromised
  • What security improvements have been implemented
  • What support is being offered to affected customers

2. Comprehensive Identity Protection
Offer affected customers:

  • Multi-year identity theft protection and monitoring
  • Credit monitoring services from all three bureaus
  • Identity theft insurance with sufficient coverage limits
  • Dedicated support for fraud resolution

3. Incident Response Excellence
Demonstrate that the company has:

  • Fully contained the breach and expelled attackers
  • Conducted thorough forensic analysis
  • Implemented remediation measures
  • Engaged independent security experts for validation

Long-Term Security Transformation

1. Zero Trust Architecture
Implement zero trust principles:

  • Verify explicitly for every access request
  • Use least-privilege access controls
  • Assume breach and minimize damage potential

2. Advanced Threat Detection
Deploy modern security operations capabilities:

  • AI-powered SIEM and SOAR platforms
  • User and entity behavior analytics
  • Deception technology (honeypots, honeytokens)
  • Threat intelligence integration

3. Supply Chain Security
Rigorously manage third-party risk:

  • Comprehensive vendor security assessments
  • Continuous monitoring of vendor access
  • Contractual security requirements with penalties
  • Regular third-party penetration testing

4. Insider Threat Program
Given Everest's insider recruitment efforts:

  • Implement behavioral monitoring for anomalous activity
  • Establish anonymous reporting mechanisms
  • Conduct regular security awareness training emphasizing insider threats
  • Implement separation of duties for sensitive functions

5. Encryption and Data Minimization

  • Encrypt customer data at rest and in transit
  • Minimize data collection to only necessary information
  • Implement data retention policies with automatic deletion
  • Anonymize or pseudonymize data where possible

Implications for the Retail Sector

The Under Armour breach sends clear messages to the retail industry:

You Are a Target

If you collect customer data—especially personal information, purchase histories, and loyalty program details—you are a valuable target for ransomware groups and data thieves.

Brand Value Makes You Vulnerable

The more valuable your brand, the more pressure you'll face to pay ransoms to prevent reputational damage from data leaks.

Supply Chains Are Attack Surfaces

Your security is only as strong as your weakest vendor, partner, or service provider.

Traditional Security is Insufficient

Perimeter defenses and signature-based antivirus are inadequate against modern ransomware groups employing AI-powered tools, insider recruitment, and zero-day exploits.

Incident Response Must Be Immediate

The two-month gap between the November attack and January public disclosure suggests inadequate detection capabilities. Modern threats require real-time detection and response.

Recommendations for Retail CISOs

Technical Priorities

  1. Implement comprehensive logging across all systems with customer data
  2. Deploy AI-powered anomaly detection to identify unusual data access patterns
  3. Segment networks to limit lateral movement after initial compromise
  4. Encrypt customer databases at rest with proper key management
  5. Implement data loss prevention to detect and block bulk data exfiltration
  6. Require MFA for all privileged access to systems with customer data
  7. Conduct regular penetration testing including social engineering and physical security

Organizational Priorities

  1. Make security a board-level priority with regular reporting on risk posture
  2. Establish a dedicated insider threat program given Everest's recruitment tactics
  3. Create a cross-functional incident response team with clear roles and responsibilities
  4. Conduct tabletop exercises simulating ransomware and data theft scenarios
  5. Develop business continuity plans assuming complete system compromise
  6. Build relationships with law enforcement before incidents occur

Strategic Priorities

  1. Shift security mindset from prevention to resilience—assume compromise and minimize damage
  2. Invest in security operations capabilities that enable rapid detection and response
  3. Build cyber risk into business decisions—understand how security impacts customer trust and financial performance
  4. Participate in industry ISACs to share threat intelligence and best practices
  5. Advocate for stronger security throughout your supply chain—your vendors' security is your security

The Broader Pattern: Ransomware's Evolution

The Under Armour breach exemplifies several important trends in the ransomware ecosystem:

From Encryption to Exfiltration

Modern ransomware groups increasingly focus on data theft rather than just encryption. Why?

  • Backups reduce encryption impact—companies can restore from backups
  • Data has lasting value—stolen data can be sold, resold, or used for future attacks
  • Extortion is more reliable—companies will pay to prevent data leaks even if they can recover systems

Professionalization of Cybercrime

Everest's diversified business model, operational longevity, and insider recruitment program demonstrate the increasing sophistication of ransomware operations. These aren't amateur hackers—they're organized criminal enterprises with HR, business development, and strategic planning.

Targeting Consumer Brands

While critical infrastructure and healthcare generate headlines, consumer brands like Under Armour, Nike, and McDonald's offer attractive targets:

  • Large volumes of personal data
  • Brand sensitivity to reputational damage
  • Often weaker security than financial services or defense contractors
  • Payment capacity without the regulatory scrutiny of healthcare or finance

Ransomware-as-a-Service Limitations

While many groups operate as RaaS (ransomware-as-a-service) with affiliates conducting attacks, Everest's direct operation model allows:

  • Tighter operational security
  • Consistent quality of attacks
  • Better operational security
  • More sophisticated long-term targeting

Conclusion: Wake-Up Call for Consumer Brands

The exposure of 72.7 million Under Armour customer records isn't just another data breach statistic—it's a stark warning that consumer brands have become prime targets for sophisticated, well-resourced ransomware operations.

Everest's six-year operational history, diversified business model, and insider recruitment program demonstrate that retail companies face threats previously associated with critical infrastructure and defense contractors. The old assumption that a modest security budget and compliance with PCI-DSS would suffice is no longer tenable.

For affected customers, the breach means years of increased fraud risk and vigilance. For Under Armour, it means regulatory investigations, class action litigation, remediation costs, and reputational damage that will take years to repair.

For the retail sector, it should mean a fundamental rethinking of cybersecurity as a core business function rather than an IT checkbox. When 72.7 million customer records can be stolen despite presumably competent security teams and substantial resources, something is fundamentally wrong with our approach to protecting consumer data.

The question facing every retail CISO is simple: Will you learn from Under Armour's experience and make the necessary investments in detection, response, and resilience before your breach, or will you be explaining to your board, customers, and regulators why you didn't take action when the warnings were clear?

Read more

Operation Leak: FBI and Global Partners Dismantle LeakBase, One of the World's Largest Cybercriminal Data Forums

Operation Leak: FBI and Global Partners Dismantle LeakBase, One of the World's Largest Cybercriminal Data Forums

March 4, 2025 — In one of the most sweeping international cybercrime enforcement actions of the year, the Federal Bureau of Investigation, Europol, and law enforcement agencies spanning 14 countries have dismantled LeakBase — a massive open-web forum where cybercriminals bought, sold, and traded stolen data from breaches targeting American corporations, individuals,

By Breached Company