NextFin News - Clothing and fitness data giant Under Armour confirmed on January 22, 2026, that it is investigating claims of a massive data breach after a cybercriminal posted approximately 72 million customer records to a prominent hacker forum. The leak, which surfaced earlier this week, reportedly stems from a security incident in November 2025. At that time, the Everest ransomware group claimed responsibility for infiltrating the company’s systems and exfiltrating 343GB of data, though the full extent of the compromise only became public following the recent data dump.
According to TechCrunch, the breach notification service Have I Been Pwned obtained a copy of the stolen dataset and began notifying affected individuals. The compromised information includes names, email addresses, genders, dates of birth, and approximate geographic locations based on ZIP codes. Crucially, the data also contains records related to customer purchases. Under Armour spokesperson Matt Dornic stated that the company is working with external cybersecurity experts to investigate the issue. Dornic emphasized that there is currently no evidence that payment processing systems or customer passwords were affected, suggesting the breach may have targeted a secondary database or a marketing-related repository.
The timing of this disclosure is particularly sensitive for the Baltimore-based retailer. The Everest group had previously set a seven-day ransom deadline in late 2025, which Under Armour appears to have ignored. The subsequent release of the data on an underground forum confirms that the threat actors have moved from extortion to public distribution. While Dornic characterized the percentage of customers with "sensitive" information affected as "very small," the sheer volume of 72 million records makes this one of the largest retail data breaches in recent years, rivaling the scale of the 2018 MyFitnessPal breach which affected 150 million users under the same corporate umbrella.
From an analytical perspective, the Under Armour incident underscores a persistent vulnerability in the retail sector: the "data hoarding" problem. Retailers often collect vast amounts of non-financial PII (Personally Identifiable Information) to fuel recommendation engines and loyalty programs. While these databases are often less protected than payment gateways, they are goldmines for modern cybercriminals. As noted by Rob Babb, an exposure management strategist at Seemplicity, the danger lies not just in the email addresses themselves, but in the purchase history attached to them. With access to specific transaction IDs and buying patterns, attackers can use generative AI to craft highly convincing phishing campaigns that mimic legitimate customer service interactions.
The financial implications for Under Armour extend beyond immediate remediation costs. According to Security Magazine, the company is already facing a class-action lawsuit alleging it failed to implement adequate security measures to protect consumer data. Under the current regulatory environment in 2026, where data privacy laws have tightened globally, the company could face significant fines if investigators find that the breach resulted from negligence or the use of legacy systems. The fact that the Everest group reportedly gained access to other major firms like Collins Aerospace through "open doors" such as outdated FTP servers suggests a potential pattern of targeting infrastructure weaknesses that many large corporations have yet to patch.
Looking forward, this breach is likely to accelerate a shift in how U.S. President Trump’s administration approaches national cybersecurity standards for the private sector. With 72 million Americans potentially exposed, there is growing pressure for federal mandates requiring stricter data minimization—forcing companies to delete customer data that is no longer essential for business operations. For Under Armour, the path to recovery involves not just technical patches, but a fundamental rebuilding of consumer trust. As cybercriminals increasingly leverage AI to weaponize stolen purchase histories, the retail industry must move toward a "zero-trust" architecture for all customer-facing databases, regardless of whether they house credit card numbers or merely shopping lists.
Explore more exclusive insights at nextfin.ai.
