Matthew Gast
By Matthew Gast
Posted On April 05, 2018

Under Armour Data Breach: Here's What We Know

Data Breach | Application Security | PCI

Last week, Under Armour announced that a breach on MyFitnessPal compromised the data from 150 million users. I learned of the breach when a few friends asked me about it. They were curious because in the past year I’ve taken up cycling, and have apparently been a bit of an annoying evangelist trying to drag people out on to the roads with me. My bicycle is my daily commute vehicle to tCell headquarters. (Not surprisingly, bicycle is faster than taking the bus, even all the way across town.)

Details on the breach are limited for now. Under Armour said that attackers accessed names, email addresses, and hashed passwords, but no credit card data. (Interestingly, Under Armour did say that the passwords were protected with bcrypt, so the design is probably basically sound.)

As one of the people in my circle of friends who works in infosec, I was asked how attackers could get passwords but not credit card data, and the answer is basically that the cloud is a magical thing.

If you take credit cards for your business, you’re subject to “PCI,” the three letter abbreviation commonly used as shorthand for Data Security Standard (DSS) certification from the Payment Card Industry (PCI) Security Standards Council. The PCI DSS is a set of rules for safely handling sensitive credit card information, which in the case of large credit card users is verified by an external auditor every year. These annual audits are expensive -- in 2010, Network World reported that these audits cost over $200,000.

One of the best ways to establish compliance with the PCI DSS is to focus on your core business, and outsource the rest. One of the easiest ways to achieve PCI compliance is to use a service to process credit card transactions. If you use a service to process payments, your PCI compliance burden is much more manageable because you can essentially reference the hard work done by the payment processing service. In a world where a consumer product can just use Paypal, Stripe, or Square, there are very few legitimate reasons to build your own payment processing system. Without knowing the details of the architecture at Under Armour, I assume the reason that credit cards weren’t compromised is that they outsourced payment processing to a service provider. If you depend on somebody else to handle and store payment data, you can’t possibly lose it.

We’ll follow any future disclosures, and if there’s anything more that comes to light, we’ll have a follow-up post.