Fitness apparel manufacturer Under Armour gave us a good example of how companies can try to protect their user’s data but often fail to fully cover everything that needs protecting. The information that was stolen from Under Armour is minor compared to some of the data stolen from other companies hacked but still gives us a closer look at what hackers target, and that is why it makes our list of worst breaches of mid-year 2018. It’s a solid reminder that any security breach of this magnitude is significantly detrimental.
In late February of this year, Under Armour announced that its MyFitness Pal app had been hacked. With nearly 150 million users on their platform, the affected information included usernames, email addresses, and hashed passwords – the majority had been protected with the strong hashing encryption function called bcrypt, but other exposed information, including usernames and email addresses, was protected by easier-to-crack SHA-1 hashing.
This article by Wired explains how Under Armour, “had done a good enough job setting up its data protections that the hackers couldn’t access valuable user information like location, credit card numbers, or birth dates, even as they were swimming in login credentials.” Under Armour even had protected passwords but failed to protect all their passwords which lead to customers data being stolen.”
What happened after the hack is paramount. Under Armour had to conduct forensics to determine what was stolen, what data was vulnerable, and what was protected. But all that accomplished, really, was to allow users whose information was stolen to know it was stolen. It’s unfortunate, but there is not much more that can actually be done. High profile hacks such as the UA event shine more light on the questions about the overall security of your data and more importantly, how you will recover from a disastrous event. If Under Armour had a good backup copy of their data, they could best assess what was comprised and begin the best course of action to recovery. It begins with a good backup and disaster recovery plan.