The MyFitnessPal data breach has triggered a lawsuit against parent company Under Armour, filed on behalf of users of the mobile health app.
The legal case is being described as a putative class action against Under Armour for the liability over the theft of millions of users’ personal information. The allegations are that the MyFitnessPal data breach was caused by Under Armour’s failure to safeguard the data they held for users.
150 million users were reportedly affected by the MyFitnessPal data breach, which includes countless victims in the UK as well.
What happened in the MyFitnessPal data breach
The MyFitnessPal data breach involved the unauthorised access of users’ personal data by an unknown third-party (assumed) threat actor. Under Armour reportedly became aware of the incident in late March, but the breach itself is understood to have taken place in February 2018.
Under Armour wrote to users affected by the breach and asked them to change their passwords as a security precaution.
What data was accessed in the MyFitnessPal data breach?
Data reportedly accessed in the MyFitnessPal data breach includes:
- Usernames;
- Email addresses;
- Hashed passwords.
Under Armour share values apparently dropped by 3.8% in the wake of the data breach scandal, which is a fairly common occurrence with these large-scale data breaches affecting multinational organisations.
It’s understood that payment information, which is sorted separately, has not been affected by the breach.
Another GDPR near-miss
The MyFitnessPal data breach is undoubtedly a GDPR near-miss.
Had the data breach have occurred just 12 weeks later, Under Armour may have been facing new and record fines in the region of £17m, or 4pc of their global annual turnover.
That could have been huge; crippling, even.
That being said, the point of the new GDPR is to ensure that organisations are motivated to properly protect the data they hold for people. Even so-called “minor data breaches” can cause serious harm to victims, especially those whose data has been compromised across several different breaches, meaning more information can be gathered about the victim.
Fraudsters can easily piece together a profile on their victims, and any data breach of this nature should be treated as a serious matter. Imagine if a victim of this breach also uses Equifax credit services, who were hacked last year, and has purchased gig tickets through Ticketmaster and has been a victim of their breach.