Who is Behind Under Armour's Reported Data Breach?

Ransomware strikes again.

Sportswear giant Under Armour is the latest brand in the spotlight after the Everest ransomware group claimed responsibility for a major data breach, alleging it has stolen 343GB of company data.

Portions of the stolen information have reportedly surfaced on the group’s dark web leak site after the ransom deadline expired.

According to Have I Been Pwned, a website allowing users to check whether their personal data has been compromised by data breaches, 72 million email addresses and other records including names, genders, birthdates and ZIP codes are present in the leaked dataset.

The incident, said to have taken place in November 2025, also led to class action lawsuits filed in the US, with customers suing the sportswear giant for negligence and failure to safeguard personal information.

Under Armour’s statement, as reported by AP, says the company is investigating the matter: “We have no evidence to suggest this issue has affected UA.com or systems used to process payments or store customer passwords.”

It added: “Any implication that sensitive personal information of tens of millions of customers has been compromised is unfounded."

The impact on Under Armour customers

While the combination of speculation, litigation and lack of official confirmation from Under Armour has fuelled confusion, the advice from experts is to stay vigilant. 

“When a well-known consumer brand is linked to a major leak, criminals move fast,” says George Foley, Security spokesperson at ESET Ireland.

“They do not stop at the data that was taken. They use it to create believable follow up emails, texts and even phone calls that look like they are coming from the company involved.

“The aim is to trick people into handing over more information, clicking a link, resetting a password through a fake page or sharing payment details.

“Consumers should treat any unexpected message claiming to be from Under Armour – or referencing an account issue, delivery problem, refund, loyalty points or security verification – as suspicious until proven otherwise.

“If you get a message that pressures you to act quickly, that is a red flag. Go directly to the company’s official website or app yourself, rather than using links in messages.

“And if you reused the same password anywhere else, change those accounts first. Password reuse turns one leak into several compromises.”

What is the Everest ransomware group?

Halcyon Ransomware Research Center previously deemed Everest to be a Russian-speaking operation that emerged in December 2020.

The notorious ransomware group operates a “hybrid model” using ransomware and an Initial Access Broker (IAB) service that sells compromised credentials to threat actors. 

Halcyon ranks it as a “high threat” group that has targeted “critical infrastructure including national electricity transmission operators, aviation systems affecting multiple European airports and telecommunications networks”.

Jon Abbott, Co-Founder and CEO of ThreatAware, says the group has “evolved significantly after coming onto the scene”.

“Once inside a corporate environment, they move quickly,” Jon adds.

“Every move is carefully planned and designed to maximise impact and increase the likelihood of a payout. 

“They are often searching for internet facing RDP servers without MFA, an unpatched VPN server or user credentials they have purchased from an access broker. 

“Once inside the network, they will extract critical data and install remote access tools such as AnyDesk, Splashtop and Atera. What this means is that security fundamentals could not be more critical or urgent. 

“If your assets are patched, you have a full software inventory, a highly-accurate and up-to-date user inventory and you are using MFA throughout, you can avoid such an attack, but if they do gain access, you will have dramatically reduced the impact.

“As always after such an attack, customers of the victim should be extra vigilant for phishing attacks or scams that attempt to steal their personal and financial information. 

“If they receive unsolicited emails claiming to be from Under Armour and asking for sensitive information, they should exercise extreme caution.”