Full Report
In November 2025, the Everest ransomware group claimed Under Armour as a victim and attempted to extort a ransom, alleging they had obtained access to 343GB of data. In January 2026, customer data from the incident was published publicly on a popular hacking forum, including 72M email addresses. Many records also contained additional personal information such as names, dates of birth, genders, geographic locations and purchase information.
Analysis Summary
# Incident Report: Everest Ransomware Attack on Under Armour (2025-2026)
## Executive Summary
In November 2025, the Everest ransomware group successfully compromised Under Armour, stealing 343GB of data and attempting a monetary extortion. The incident progressed to a public data leak in January 2026, exposing the personal information of 72 million customers. Specific details regarding the initial attack vector and internal response actions are not detailed in the source material.
## Incident Details
- Discovery Date: Not explicitly stated (Implied after January 2026 leak)
- Incident Date: November 2025 (Claim of compromise/Extortion attempt)
- Affected Organization: Under Armour
- Sector: Retail/Apparel
- Geography: Not explicitly stated (Global customer base implied)
## Timeline of Events
### Initial Access
- Date/Time: November 2025
- Vector: Unknown (Attributed to Everest Ransomware Group)
- Details: Attacker gained initial access leading to the exfiltration of 343GB of data.
### Lateral Movement
- Date/Time: Unknown
- Details: Implied, as a large volume of data (343GB) was successfully exfiltrated.
### Data Exfiltration/Impact
- Date/Time: Prior to January 2026
- Details: 343GB of data exfiltrated. On January 2026, this data was published publicly.
### Detection & Response
- Date/Time: Post-November 2025
- Details: The extortion attempt was acknowledged by the attacker group. Public disclosure occurred in January 2026 when data appeared on a hacking forum. (Specific organizational response actions are not provided).
## Attack Methodology
*Note: Specific TTPs were not detailed in the source text; this section reflects the high-level observed activities.*
- Initial Access: Unspecified (Likely common ransomware entry point, e.g., Phishing, Exploitation of Public-Facing Application).
- Persistence: Implied by successful data exfiltration.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Not detailed.
- Collection: **Data Harvesting** (343GB collected).
- Exfiltration: **Data Staging/Transfer** (Used to transmit data to the threat actor).
- Impact: **Data Leakage/Extortion** (Public posting of stolen files).
## Impact Assessment
- Financial: Attempted ransom demand (Amount unknown). Potential costs associated with remediation and regulatory fines.
- Data Breach: **72 million customer records** exposed, including:
- Email Addresses
- Names
- Dates of Birth
- Genders
- Geographic Locations
- Purchase Information
- Operational: Not detailed, but significant operational strain likely occurred dealing with the massive breach.
- Reputational: Significant negative impact due to the public exposure of extensive PII for 72 million customers.
## Indicators of Compromise
*Note: No concrete technical IOCs (IPs, hashes, domains) were provided in the source material.*
- Network indicators: N/A
- File indicators: N/A
- Behavioral indicators: Unauthorized large-scale data transfer/exfiltration preceding public leak.
## Response Actions
*Note: The source text focuses on post-breach recommendations for victims, not Unders Armour's internal actions.*
- Containment measures: Unknown
- Eradication steps: Unknown
- Recovery actions: Unknown
## Lessons Learned
- **Ransomware Preparedness:** The attack persisted long enough to result in the theft of 343GB of data, highlighting gaps in preventative and detective controls against established ransomware operations.
- **Data Exposure Risk:** Sensitive customer PII (including DOB) was retained, increasing the severity when the data was publicly released.
- **Timeliness of Disclosure:** While the initial intrusion was in November 2025, the public impact was realized in January 2026, suggesting a gap between the breach conclusion and public notification or discovery of the leak.
## Recommendations
- **Strengthen Access Control:** Implement stringent Multi-Factor Authentication (MFA) across all enterprise and customer-facing systems.
- **Data Minimization:** Review and reduce the retention of highly sensitive PII (e.g., Dates of Birth) if it is not strictly necessary for business operations.
- **Enhance Network Monitoring:** Improve detection mechanisms targeting data staging and large-volume outbound transfers characteristic of data exfiltration.
- **Incident Response Readiness:** Pre-establish communication and remediation plans for large-scale PII breaches to minimize the delay between data publication and customer notification.