In another blow for the brand and possibly to its reputation, Under Armour admitted that that as many as 150 million MyFitnessPal user accounts were compromised in February of this year. The incident ranked as one of the biggest hacks in history.
Shares of Under Armour closed Monday at $16.06, down 30 cents, or 1.8 percent, Monday in its first day of trading since the annonccement.
The stolen data includes account user names, e-mail addresses and scrambled passwords for users of MyFitnessPal, its health-and-fitness mobile app and website. Social security numbers, driver license numbers and payment card data were not compromised, Under Armour said in a statement.
The company said, “On March 25, the MyFitnessPal team became aware that an unauthorized party acquired data associated with MyFitnessPal user accounts in late February 2018. The company quickly took steps to determine the nature and scope of the issue and to alert the MyFitnessPal community of the incident.’”
Under Armour added that the company is working with leading data security firms to assist in its investigation, and also coordinating with law enforcement authorities.
MyFitnessPal does not collect social security numbers and driver’s license numbers from its members. Payment card data was not affected because it is collected and processed separately.
Under Armour said, “The company’s investigation is ongoing, but indicates that approximately 150 million user accounts were affected by this issue.”
Four days after learning of the issue, the company said it began notifying the MyFitnessPal community via e-mail and through in-app messaging. The notice contained recommendations for MyFitnessPal users regarding account security steps they can take to help protect their information. The company will be requiring MyFitnessPal users to change their passwords and is urging users to do so immediately.
A microsite was provided for those seeking additional information at: https://content.myfitnesspal.com/security-information/FAQ.html.
The brand earned some praise for the company’s quick response to the breach.
“Under Armour’s response to this crisis should be applauded, especially when you compare how Facebook and Uber responded in similar situations,” said Curtis Sparrer, principal of Bospar PR and author of “Public Relations Crisis Management: Are You Prepared?”
“Under Armour did everything Facebook failed to do in its latest PR disaster: Under Armour quickly notified the people impacted and the public at large while Facebook went to great lengths to suppress the Cambridge Analytica scandal. When Uber discovered their data breach they sat on the news for a year. By contrast Under Armour was a master class in how to respond in a crisis. I thought it was smart for Under Armour to contact their customers through in-app messaging and provide a FAQ. They contacted a data security firm to assist in its investigation. They clearly thought through the entire customer journey during a crisis–something tech giants should do as well.”
But the breach also points to the downside of owning a data-centric business. While financial data such as credit card info wasn’t stolen, e-mail addresses can be valuable to cyber criminals.
“E-mail addresses are valuable for spammers because the attackers would know that active, real users are behind these addresses,” Engin Kirda, a professor at Northeastern University in Boston, told Forbes. “The dark web is usually where data like this is sold to the highest bidder.”
In the 2014 JPMorgan Chase breach of some 83 million consumers, e-mail addresses were used for pump-and-dump schemes to boost stock prices.
In a research note, Jim Duffy at Stifel wrote that reportedly the majority of the passwords were encrypted using bcrypt, a hashing technology that is difficult to crack. A portion, however, were encrypted with a weaker hashing technology, SHA-1.
“The risk is that many people use the same password for numerous accounts offering hackers a potential avenue for identity theft in other applications of significance including social media or financial accounts,” wrote Duffy.
But Duffy added that while data breach cause “bad PR” in the near term, most companies have been able to largely ride out any reputational damage in past breaches, citing past incidents from Home Depot, Sony, and Target as examples. Wrote Duffy, “The scope of the breach appears contained and importantly, limited to user names, e-mail addresses, and encrypted passwords.”
He likewise pointed out that Under Armour has been commended in the press for its “prompt and forthright response.”
Duffy also wrote that expenses to manage and resolve to be “of small consequence” since financial information has not been compromised. Wrote Duffy, “Given the growing frequency of large scale data breaches, however, we suspect the impact to the brand and long-run impact is minimal.”
The MyFitnessPal hack is the largest data breach this year and one of the top five to date, based on the number of records compromised, according to SecurityScorecard per Reuters.
Larger hacks include 3 billion Yahoo accounts compromised in a 2013 incident and credentials for more than 412 million users of adult websites run by FriendFinder Networks in 2016, according to LeakedSource.com.
Under Armor acquired MyFitnessPal in 2015 for $475 million. MyFitnessPal lets users monitor their calorie intake and measure it against the amount of exercise they are doing, with a database of more than 2 million foods available to choose from.
When it was acquired, MyFitnessPal had 80 million users and the company has since doubled in size. Also acquiring Endomondo at the time, Under Armour used the two platforms to create the company’s Connected Fitness business. Connected Fitness also includes MayMyFitness, which was acquired in 2013.
In 2015, Under Armour established a digital fitness community across its four mobile platforms: UA Record, MapMyFitness, Endomondo and MyFitnessPal, to create what it claims to be “the world’s largest digital health and fitness community.” The company also highlighted its ambitions at the time to transform into a connected health and fitness company. With its extensive data gained from tracking how members work out, eat and sleep, Under Armour said it would not only form tighter connections with consumers, but use the insights to drive everything from product development to merchandising to marketing. In-app purchases tied to metrics have been touted.
The hack may again cause Under Armour to reappraise prospects for its Connected Fitness segment, which already saw a rough 2017. In the third quarter, Under Armour absorbed goodwill impairment charges of $29 million for the company’s Connected Fitness business as part of the company’s restructuring plan.
In November, reports arrived that Under Armour was quietly eliminating UA HealthBox, a wearable device that offered a connected activity tracker, heart rate monitor and smart scale tools.
On December 4, Under Armour announced that Mike Lee and Albert Lee, the co-founders of MyFitnessPal, planned to leave the company in January to pursue their next entrepreneurial ventures. At the time, Under Armour said Michael La Guardia, formerly head of product for both Yahoo! Finance and Sports, would join Under Armour in January as VP, digital product with responsibility for leading all digital product development.
Overall, the Connected Fitness segment had revenues in 2017 of $89.2 million, or 1.8 percent of total sales, up from $80.4 million a year ago. Revenues consist of digital advertising, digital fitness platform licenses and subscriptions.
The segment widened its operating loss in the year to $55.3 million from $36.8 million in the year-ago period. The increase was primarily due to $47.8 million in restructuring and impairment charges.
Under Armour has already been struggling with sales in recent quarters and negative headlines in USA Today and the major television news hours won’t help in their recovery. Much remains unknown about the details of the breach and the coverage could continue.
Under Armour’s slowdown has been blamed on the company’s move to extend distribution to Kohl’s and other places and the company is working on improving its segmentation efforts. But the company also being impacted by a recovery from Adidas in the U.S. and stiff competition from Nike, which expects a number of hyped-launches to revive North American growth in the second half of the year. Under Armour’s efforts to expand into more fashion-forward and casual offerings have also been a hurdle.
Photo courtesy MyFitnessPal