Under Armour Hacked… MyFitnessPal No Longer My Pal

It’s getting difficult for me to determine which security incidents to blog about…

First up, Facebook‘s unauthorized sharing/selling of 50 million persons’ private information, a definite FTC violation at $40k per each, should bring Zuck $2 trillion in fines.

Next, the City of Atlanta has dealt with a ransomware attack which crippled the digital systems of 5 out of 13 local government departments for over one week (last week).

Now, as if a side note, Under Armour comes out from under their rock to “fess up” on March 29th that on March 25th they learned that the personal data of 150 million MyFitnessPal diet and fitness app user accounts was compromised in February. Yes, February – you read that right.

This doozie at Under Armour is now the largest data breach, so far, in 2018 and claims the “Forth Largest Breach in History” based on the number of records compromised.

Here’s the list…

  1. The largest historic hacks include 3 billion Yahoo accounts compromised in 2013.
  2. User credentials and identities of more than 412 million users of adult websites run of FriendFinder were leaked in 2016.
  3. The personal information of over 200 million registered U.S. voter’s (nearly all of them) was left wide open to the public on an Amazon cloud server when Deep Root, a marketing firm hired by the Republican National Committee (RNC), failed to password protect this sensitive data and left it available for nearly 20 days.
  4. The usernames, email addresses, and encrypted passwords of 150 million Under Armour MyFitnessPal users.
  5. The sensitive personal data of over 147 million consumers’ was stolen from Equifax due to their gross negligence in not patching its servers.
  6. Email addresses of 83 million customers was stolen in a hack against JPMorgan Chase in 2015. This data was later used in stock pump-and-dump schemes according to the U.S. federal indictments.

Under Armour says that Social Security numbers, driver license numbers, and payment card data were not compromised.  But this doesn’t minimize the incident, since name and email constitutes PII, and they didn’t pay attention for nearly 2 months which is plenty of time for a bad-actor to work on decrypting the victim’s passwords.

Under Armor had a post on it’s website that it will require MyFitnessPal users to change their passwords, and it urged users to do so immediately.  I’d argue that if they forced a password reset as they’ve indicated, then the immediacy of changing your password shouldn’t matter.

Bad on you if you use the same passwords for other accounts (such as your email account).

While Under Armour may have not detected the breach until March 25th, they sat on it for four (4) days after they learned of the incident.  That’s 96 hours!

This, in and of itself, is a breach of the General Data Protection Regulation (GDPR) law which mandates notification to authorities and victims within 72 hours.

It is increasingly evident that legacy security practices are not working.  Each of these mega-businesses claim to have world-class Security Operations Centers, qualified security professionals, and they spend millions on volumes Security Tools.  I don’t dispute any of this. But they are simply failing to detect, control, manage, prevent, and respond to security incidents.  Facebook might be an exception, since they appear to have purposely sold/shared the personal data of their users.   But for the others, the things they have in common are the tools they use, the processes they employ, the quality of the people they employ, and the breaches that they all share.

It’s time for next-generation security – zero trust, advanced analytics, and the intelligence to work smarter not harder.

Ask us about how Spyglass can help you prevent these tragedies by employing next-generation security, like we do for our clients.

Learn more about Spyglass! 

Till next time,

Ed

Leave a Reply

x

We use cookies to ensure the best possible experience on our website. Detailed information on the use of cookies on this site is provided in our Privacy and Cookie Policy. Further instruction on how to disable our cookies can be found there.