Under Armour Data Breach Exposes 72 Million Customer Records

The Attack Timeline

The breach originated from a ransomware attack carried out by the Everest cybercriminal group in November 2025. The attackers successfully infiltrated Under Armour's systems and exfiltrated approximately 343 gigabytes of internal company data, including customer records and employee information. Following standard ransomware tactics, Everest demanded payment within a seven-day deadline. When Under Armour failed to meet the ransom demands, the stolen data was posted publicly on dark web forums.

Troy Hunt, operator of the breach notification service Have I Been Pwned, confirmed the authenticity of the leaked dataset on Tuesday, January 21. The service has now incorporated the breach into its database, allowing affected individuals to check whether their information was compromised.

Scope of Exposed Information

The leaked dataset is substantial both in size and scope. According to Have I Been Pwned's analysis, the decompressed data amounts to roughly 19.5 gigabytes spread across 191 million total records in multiple files. The exposed information includes customer email addresses, full names, dates of birth, gender information, geographic locations, and detailed purchase histories.

Security researchers at Cybernews confirmed that the breach affects both customers and employees, with the data including marketing information such as complete purchase histories and store locations where transactions occurred. Notably, 76 percent of the exposed email addresses had already appeared in previous data breaches tracked by Have I Been Pwned, meaning attackers now possess even more comprehensive profiles on these individuals.

AI-Enhanced Phishing Threats

Security professionals have issued urgent warnings about the potential for sophisticated phishing attacks enabled by this breach. Rob Babb, exposure management strategist at Seemplicity, explained that the verified data tied to a real brand allows attackers to leverage artificial intelligence to craft highly convincing phishing messages.

These AI-generated attacks can reference real orders, actual transaction identifiers, and specific purchase behaviour, effectively blurring the line between fraudulent communications and legitimate brand correspondence. This level of personalisation makes it exponentially more difficult for victims to identify phishing attempts.

Babb cautioned that the real impact of such breaches often materialises weeks or months after the initial incident, once the breach is no longer prominent in public consciousness. This delayed effect allows cybercriminals to capitalise on reduced vigilance among affected customers.

Company Silence and Legal Fallout

Under Armour, headquartered in Baltimore, Maryland, has maintained complete silence regarding the incident. The company did not respond to media requests for comment when Everest first claimed responsibility in November 2025, has not issued breach notifications to affected customers, and continues to decline comment as the data circulates publicly.

This silence has prompted legal action. Maryland resident Orvin Ganesh filed a lawsuit in federal court alleging that Under Armour failed to implement reasonable safeguards to protect customer data and "failed to even encrypt or redact" sensitive customer information. Law firm Chimicles Schwartz Kriner & Donaldson-Smith has also filed a proposed class action on behalf of affected customers.

The lawsuits allege violations of federal and state data protection statutes as well as breaches of Under Armour's own internal privacy policies. Under Armour reported $5.1 billion in revenue for 2025 and operates approximately 15,000 branded retail stores worldwide, making the company's apparent lack of data security measures particularly concerning to plaintiffs.

Broader Industry Context

The Under Armour breach fits within a troubling pattern of increasing ransomware attacks targeting the retail sector. Data from 2025 showed that retail and wholesale industries were among the most frequently targeted sectors for ransomware attacks, alongside manufacturing, technology, and healthcare.

Ransomware attacks in 2025 shattered previous records with a 58 percent year-on-year increase in observed victims. The ransomware economy heading into 2026 features faster rebranding cycles, more credential-based intrusion methods, cross-platform encryption capabilities, and double extortion tactics becoming standard practice.

The integration of artificial intelligence into cyberattack methodologies represents a significant escalation in threat sophistication. Security experts predict that AI agents will soon be capable of deploying thousands of personalised phishing emails per second, crafting zero-day exploits instantly, and distributing ransomware across thousands of endpoints in under a minute.

Recommendations for Affected Users

Individuals with Under Armour accounts should treat all communications claiming to be from the company with heightened suspicion, even if they appear legitimate. Security professionals recommend avoiding clicking links or downloading attachments from unexpected emails, regardless of how convincing they may appear.

Affected users should monitor their accounts for suspicious activity, enable multi-factor authentication wherever possible, and consider using unique passwords for different services to limit the damage if credentials are compromised. Given that 76 percent of affected email addresses had appeared in previous breaches, many individuals may face compounded risks from attackers cross-referencing multiple datasets.