Analyzing the Under Armour's MyFitnessPal Data Breach: A Case Study

Verified

Added on 2023/06/06

AI Summary

This case study examines the significant data breach experienced by Under Armour, specifically focusing on its MyFitnessPal application. The breach compromised approximately 150 million user accounts, exposing personal information such as usernames, email addresses, and passwords. The attackers exploited vulnerabilities in the company's password encryption methods, particularly the use of the weaker SHA-1 hashing algorithm for some passwords. The aftermath of the attack led to a decline in the organization's stock value, increased expenses for security remediation, and a loss of user trust, resulting in users migrating to competitor apps. The case highlights the critical importance of robust cyber security measures and the potential consequences of data breaches for organizations and their users. Desklib offers a variety of solved assignments and past papers for students.

Running Head: Data Breach
CYBER SECURITY

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1
Data Breach
Data Breach
A US based fitness brand company named Under Armour fell into prey of a significant data
breach which was linked to one of its subsidiary called ‘MyFitnessPal’. Under Armour owns the
MyFitnessPal software which is a website and a mobile application used for keeping track of the
daily activities like exercise, diet and body health.
What the attacker did during the breach?
Under Armour announced that some 150 million accounts of its users were compromised during
the data breach which was marked as one of the biggest data breach hacks in the history. The
hackers were able to breach the Under Armour’s MyFitnessPal app compromising the personal
details of the users like the usernames, passwords, email addresses etc. (Caplan, 2017). The
attacker was able to get all the personal details of millions of account and was swimming in login
credentials. Although the payment details of the cards were not compromised yet the data breach
was said to be one the largest in the history. The attackers were able to gain access to large trove
of millions of email addresses of users which are considered valuable for a cyber-criminal. These
stolen emails can be used to boost the stock prices by dumping schemes through emails
(Maringer et al., 2018).
How the attack was made and what was the threat vector?
The intrusion was detected by the company within a week of the breach and investigation was
laid down immediately to find the root cause of the breach. The company was able to protect
some sensitive information by protecting the passwords by hashing them or by converting the
stored password into indistinct strings of characters. Despite this measure, the company later
admitted that it had hashed only few passwords using a certain robust and strong function called
Bcrypt, while the remaining passwords were protected by a redundant method of hashing called
SHA-1. The SHA-1 is known to have its flaws and is a weak scheme for password encryption.
The attackers were able to get in to the system through this link by cracking some part of the
password which was stolen by them without any trouble. This weak link was a like a get-in
invitation to the hackers and they easily got out by extracting the details of the users. The threat
vector included the data of around 150 million users from across the world having some personal

2
Data Breach
details like passwords (Armour, 2017).This passwords were later sold or used in other online
scams.
After effects of the attack
The unreliable state of data security led to the downfall of the organization drastically. With
shares dripping down to almost four percent in the after-hours of the trading to investing a
considerable amount in notifying people about the breach, the company has lost its worth. A
large amount was flushed in taking help of the data security firms and police to find and fill the
gap. At one point where people were more attracted towards this fitness app, after the breach it
affected the market of the organization and the sales revenue dripped. People started migrating to
another contemporary apps and the company went into crisis (Sen & Borle, 2015).

3
Data Breach
References
Armour, C. (2017). Cyber resilience: Leadership matters. Cyber Security: A Peer-Reviewed
Journal, 1(2), 134-146.
Caplan, E. M. (2017). MapMyFitness: tracking your training and routes. British Journal of Sports
Medicine, 51(16), 1231-1232.
Maringer, M., van’t Veer, P., Klepacz, N., Verain, M. C., Normann, A., Ekman, S., ... & Geelen,
A. (2018). User-documented food consumption data from publicly available apps: an
analysis of opportunities and challenges for nutrition research. Nutrition journal, 17(1), 59.
Sen, R., & Borle, S. (2015). Estimating the contextual risk of data breach: An empirical
approach. Journal of Management Information Systems, 32(2), 314-341.