Customers of US-based sportswear giant Under Armour have been warned to be on high alert after details of approximately 72.7 million shoppers appeared online this week.
Collated by breach information website HaveIBeenPwned, the data was likely exfiltrated by the Everest ransomware crew, which claimed to have carried out a ransomware attack against the Baltimore, Maryland-based company in November 2025.
The Everest gang said at the time that it was in possession of 343GB of Under Armour’s data, including personally identifiable information relating to both employees and customers.
HaveIBeenPwned said the customer data included names, birth dates, gender information, contact details, location data and purchase history.
Jake Moore, global cyber security advisor at ESET, said: “The ransomware element of the attack, once again, proves that the retail industry continues to be targeted because high-profile targets can be extremely profitable.
“Once personal data is stolen, it then doesn’t take much to carry out a well-crafted follow-up targeted attack on those affected,” he said. “Criminals are masters of putting what data they can source together to create a phishing email, text message or even a voice call in an attempt to manipulate a victim further. Scammers will often purport to be from the targeted business, in this case Under Armour, in order to try and capture more details from them in well-constructed messages.
“Therefore, people will need to be on high alert to such messages and refrain from offering up further information – especially anything financial, and even more so if they have already had any contact with potential cyber criminals since November.”
Computer Weekly understands Under Armour is already facing a class action lawsuit over the incident, which alleges the organisation was negligent and/or reckless in failing to properly protect its customers’ data and failing to notify them in a timely manner.
Under Armour has been approached for comment but had not responded at the time of publication.
Who are Everest?
Everest, the ransomware gang supposedly behind the intrusion at Under Armour, is a remarkably long-lived and persistent threat thought to date back to about December 2020.
The Russian-speaking gang is an adept operation and transitioned from a simple exfiltration model to double extortion in 2021, according to analysts at Halcyon’s Ransomware Research Centre.
Since the end of 2021 it has also been offering initial access brokerage services to other cyber criminals, and in late 2023 it launched an insider recruitment programme, incentivising employees of potential victims to offer it access with cash payments or profit sharing arrangements.
“Everest have evolved significantly after coming onto the scene. Once inside a corporate environment, they move quickly. Every move is carefully planned and designed to maximise impact and increase the likelihood of a payout,” said John Abbott, founder and CEO of ThreatAware.
“They are often searching for internet facing RDP servers without multi-factor authentication, an unpatched VPN server, or user credentials they have purchased from an access broker,” he said. “Once inside the network they will extract critical data and install remote access tools such as AnyDesk, Splashtop and Atera.
“What this means is that security fundamentals could not be more critical or urgent,” said Abbott. “If your assets are patched, you have a full software inventory, a highly accurate and up to date user inventory, and you are using throughout, you can avoid such an attack, but if they do gain access, you will have dramatically reduced the impact.”
