© 2026 CoolTechZone - Latest tech news,
product reviews, and analyses.

Under Armour data breach affected 72M customers


Last year’s ransomware attack on Under Armour affected over 72 million customers of the American sportswear and footwear brand.

In November 2025, the Everest ransomware group disclosed that it had exfiltrated personal information of “millions” belonging to customers of Under Armour.

The attackers claimed they had stolen 343GB of internal documents that contained detailed personally identifiable information, including names, genders, dates of birth, physical addresses, email addresses, geographical locations, purchase histories, browsing behavior, loyalty program IDs, and employee contact information.

Under Armour was given 7 days to come up with a ransom demand. If this deadline wasn’t met, the hackers threatened to expose the stolen data on their website on the dark web.

Earlier this week, the Everest ransomware operation publicly published customer data from the incident on a popular hacking forum.

In a message on X, Troy Hunt, a cybersecurity expert from Australia, says he has added 72.7 million email addresses to Have I Been Pwned. A total of 76% of all email addresses were already known due to data breaches at other companies.

Under Armour hasn’t publicly confirmed the full scale of the data breach.

A class-action lawsuit has been filed at the US District Court of Maryland against the sportswear company, accusing it of having failed to properly safeguard personal and sensitive information of its customers, and of having failed to timely notify victims.

“In breaching its duties to properly safeguard Plaintiff’s and Class Members’ private information and give them timely, adequate notice of the data breach’s occurrence, Defendant’s conduct amounts to negligence and/or recklessness and violates federal and state statutes as well as its own internal privacy policies,” the suit asserts.

“Defendant failed to adequately protect Plaintiff’s and Class Members’ private information, and failed to even encrypt or redact this highly sensitive information. This unencrypted, unredacted private information was compromised due to Defendant’s negligent and/or careless acts and omissions and their utter failure to protect Plaintiff’s and Class Members’ sensitive data,” the complaint continues.