In the last weeks, two notable data breaches have been making headlines. Both of those affected U.S. companies. One impacting the company Under Armour and the other Panera Bread. The approach taken by those companies to mitigate the threat to consumers could not have been more different. One is a lesson on best practice and the other is a cautionary tale on how not to handle malicious attacks aimed at seizing consumer data.
Let us first examine the case of Under Armour and how their reaction to a data breach is an object lesson on how to handle an attack of this type.
In a society that is increasingly under threat from the lure of the latest fast food deals and convenience foods the last thing that consumers need is to be told that their efforts to lead a healthier lifestyle may now subject them to threats from hackers who are gaining access to the electronic devices they use to maintain their health. But this is just what happened when 150 million users of the fitness app supplied by Under Armour were alerted to the fact that their personal information that was lodged in their ‘MyFitnessPal accounts’ had been pilfered.
A spokesperson announced in late March that Under Armour became aware that the data breach of the fitness tracking app (that can track heart rates, as well as help users in losing weight and achieving fitness goals), had occurred during February of 2018 and ‘an unauthorized party acquired data associated with MyFitnessPal user accounts.’
Under Armour fitness app privacy best practice
Under Armour may have reacted quickly (in relative terms) to the breach. Its internal security mechanisms and firewalls separating sensitive information from less sensitive data prevented a far more wide-reaching impact on users of its fitness app. In this case, the company has stated that the data did not include any Social Security numbers, driver license numbers or any other government-issued identifiers. Under Armour also said payment card information was not collected.
The Baltimore, Maryland-based company quickly took steps to determine the nature and scope of the issue and to alert the MyFitnessPal community of the incident, according to an Under Armour press release.
Security Expert at Forrester, Jeff Pollard said that while the breach affected a large number of accounts, “Under Armour is showing it learned some lessons from companies breached in recent months by notifying its customers rapidly after discovering the intrusion.”
However, the company has yet to clarify whether “other personal details – such as eating habits, photos, GPS location, and other fitness-related information – was included in the breach, and if included, whether that data was also encrypted or masked in some fashion,” which is of concern to users “and rightfully so,” said Pollard. “Fitness trackers and apps like MyFitnessPal are fantastic tools that help people, but users must also be aware of the fact that these devices and apps act as ‘opt-in surveillance.’ Anyone with access to what the app collects also has access to your location, habits, and preferences – and in this case, that is now an attacker.”
Within a week of Under Armour becoming aware of the issue, the company said it started to notify members of the MyFitnessPal community via email and in-app messaging. It also took proactive steps to address the vulnerabilities of its systems – other companies have not been so quick off the mark when they have suffered a data breach.
“Under Armour is working with leading data security firms to assist in its investigation, and also coordinating with law enforcement authorities,” the recent press release stated. “The investigation indicates that the affected information included usernames, email addresses, and hashed passwords – the majority with the hashing function called bcrypt used to secure passwords.”
Praise for Under Armour’s approach to data breach
Terry Ray, CTO of Imperva also praised Under Armour for its response to the data breach. “Most consumers are becoming a bit desensitized to data breaches, which have become common enough to barely make the news. And if one breach makes news, there are ten that don’t.
“First, in this case, it’s good that Under Armour detected the breach at all. Many companies fail that first most important step. Second, they at least used bcrypt for the passwords, which is considered considerably more compute intensive than sha-1.”
James Lerud, head of Verodin’s Behavioral Research Team added “Praising a company after a breach is difficult, but we should give Under Armour credit for keeping payment information separate from profile information.”