Under Armour Praised For How They Managed Data Breach
As many of you might have already heard, Under Armour recently suffered a data breach that compromised the personal information of 150 million MyFitnessPal accounts.
Something you might not have heard, is that many leaders in the security industry are actually applauding how Under Armour has both handled the incident, as well as the security measures they already had in place.
That has to be a first, right?
While praising a company after a breach is very uncommon, many leaders are giving Under Armour credit for keeping users payment information separate from the personal information. The company is also being commended on handling the breach in a responsible way, by informing the public and requiring password resets.
How did Under Armour Handle the breach differently?
Well firstly, most companies typically fail to detect a breach.
Under Armour, however, not only discovered the intrusion quickly, but also had used bcrypt to protect the passwords instead of sha-1. Using just sha-1 for usernames and passwords can be problematic. There are already billions of decrypted sha-1 hashes floating around on the web, meaning that cracking a new one does not take that much effort.
This is why Under Armour took the appropriate measure to instruct their users to change their passwords on both their site, and any other site that they used those same credentials.
One point against Under Armour’s security measures – it is unclear whether or not the password hashes were salted – a practice that makes it more difficult for hackers to discover underlying passwords.
Regardless of how the breach was handled, millions of users personal data was still compromised.
The company has yet to confirm what data was actually compromised in the breach, for example:
- Eating habits
- GPS location
- Other fitness related information
It is also unclear whether the data itself was encrypted or masked in some way, which should have users concerned.
Fitness apps and trackers, like MyFitnessPal, can be excellent tools to help people. Users, however, should be aware that these devices and apps are essentially acting as ‘opt-in surveillance’. This means that anyone with access to the data that the app or device collects, is able to see the user’s location, habits and preferences.
The privacy violation could have gotten Under Armour in trouble if the GDPR was already in effect.
“Under Armour claims that no government-issued identifiers were exposed in this breach,” said Gabriel Gumbs, vice president of product strategy for STEALTHbits Technologies. “If this breach occurred 56 days from today, when GDPR enforcement begins, the EU’s Information Commissioner’s Office would draw no distinction as to whether the identifying data was government-issued or not.”
If GDPR was in effect today, Under Armour’s breach properly would have been investigated more closely.
“Because of the way GDPR defines identifiable information, there is possibly other information in this breach that would also run afoul of GDPR without having to be government-issued,” said Gumbs. “For example, if the MyFitnessPal mobile app collected a phones IMEI number that too would be identifiable data.”
He also says that companies at this point should be in full sprint in order to ensure they are prepared for the GDPR.