Under Armour data exposure puts 72.7 million shoppers on alert after ransomware leak

Customers of U.S.-based sportswear company Under Armour are being urged to remain vigilant after personal information linked to approximately 72.7 million shoppers surfaced online this week, following a ransomware-related data exposure tied to an incident disclosed late last year.

The exposed dataset was aggregated by breach-tracking service Have I Been Pwned and is believed to stem from a ransomware attack carried out in November 2025 by the Everest cybercrime group. The attackers previously claimed they had obtained 343 gigabytes of Under Armour data, including information related to both customers and employees of the Baltimore, Maryland-based apparel manufacturer.

The customer data now circulating online includes names, dates of birth, gender details, contact information, location data and purchase history. The scope and sensitivity of the information raise concerns about the potential for targeted fraud and identity-based cybercrime against affected individuals.

Cybersecurity specialists warned that retail organizations remain prime targets for ransomware groups because of the value and scale of consumer data they hold. Once personal information is stolen, attackers can leverage it to conduct follow-up phishing campaigns through email, text messages or phone calls, often posing as the breached company to extract additional information or financial details. Individuals impacted by the incident are being advised to scrutinize unsolicited communications and avoid sharing further personal or financial information, particularly if they have already encountered suspicious outreach since the time of the breach.

Under Armour is already facing a class action lawsuit connected to the incident. The complaint alleges the company acted negligently or recklessly by failing to adequately safeguard customer data and by not providing timely notification following the breach. The company was contacted for comment on the latest developments but had not responded by the time of publication.

The Everest ransomware group, which has been linked to the intrusion, is considered a long-running and persistent threat within the cybercrime ecosystem, with activity dating back to late 2020. The group has evolved from basic data theft operations to double extortion tactics and has expanded into offering initial access brokerage services to other criminal actors. In recent years, it has also attempted to recruit insiders at target organizations by offering cash payments or profit-sharing arrangements in exchange for network access.

Security analysts note that the group typically exploits exposed remote desktop services lacking multi-factor authentication, unpatched virtual private network infrastructure, or compromised credentials obtained through underground markets. Once inside a network, the attackers are known to rapidly extract sensitive data and deploy remote access tools to maintain persistence.