72.7 Million Under Armour Customer Records Allegedly Leaked in Everest Ransomware Attack

The Everest ransomware group has allegedly compromised Under Armour, with the breach potentially affecting 72.7 million customer accounts according to data breach monitoring service Have I Been Pwned (HIBP). The incident, first disclosed by the threat actors in November 2025, represents a significant data security failure for the global sportswear manufacturer.

What Happened

On January 18, 2026, a member of the Everest ransomware group uploaded a data package to a cybercrime forum, claiming it contained information stolen from Under Armour's systems. HIBP ingested these files and confirmed the breach affects 72.7 million registered accounts. The leaked data includes names, email addresses, dates of birth, genders, geographic locations, and details of previous purchases.

Everest had previously listed Under Armour on its leak site in November 2025, threatening to release the stolen data unless the company paid an undisclosed ransom within seven days. In addition to the data types HIBP confirmed, Everest claimed the leak also included phone numbers, physical addresses, loyalty program details, and preferred store locations.

Under Armour's Response

Despite the severity of the alleged breach and the public listing on ransomware leak sites, Under Armour has remained silent. The company did not respond to questions about the attack when it was first reported in November 2025, and has yet to issue any public statement or acknowledgment of the incident as of late January 2026.

This silence is particularly concerning given the scale of the breach and the potential legal implications. The lack of official communication leaves millions of customers uncertain about the security of their personal information and what steps they should take to protect themselves.

Legal Consequences

The breach has already triggered legal action. Law firm Chimicles Schwartz Kriner & Donaldson-Smith filed a proposed class action lawsuit on behalf of Under Armour customer Orvin Ganesh shortly after Everest first posted details of the claimed attack. The lawsuit alleges that Under Armour failed to adequately protect customer data and did not provide timely notification of the breach.

Class action lawsuits in data breach cases typically seek compensation for affected individuals, improved security measures, and sometimes credit monitoring services. Given the scale of this incident—potentially affecting nearly 73 million accounts—the financial and reputational impact on Under Armour could be substantial.

The Everest Ransomware Group

Everest is a relatively established player in the ransomware ecosystem, operating since 2020. Unlike many ransomware groups that gain notoriety through high-profile attacks and then quickly disappear due to law enforcement action or internal disputes, Everest has maintained a consistent presence.

According to security firm Halcyon, Everest operates through three distinct revenue streams:

1. Double extortion ransomware: Traditional encryption-based attacks combined with data theft and public exposure threats
2. Network access brokerage: Selling initial access to compromised corporate networks to other cybercriminals
3. Insider recruitment program: Paying employees within target organizations to provide access or steal data

This diversified business model allows Everest to generate revenue through multiple channels while maintaining a lower profile than more aggressive ransomware groups. Despite its longevity and portfolio of high-profile attacks—including claimed hits on Collins Aerospace, Sweden's power grid, and the Brazilian government—Everest doesn't typically appear in rankings of the most dangerous or prolific ransomware groups.

Recent Everest Activity

The Under Armour breach is part of a pattern of recent activity from the group. In December 2025, computer manufacturer Asus confirmed it was affected by an Everest attack, though the compromise occurred through a supplier rather than a direct breach of Asus systems. The group's internal files were compromised as a result.

Everest's approach often involves targeting supply chain vulnerabilities, as seen in the Asus incident, and leveraging insider threats. This makes detection and prevention more challenging for organizations, as traditional perimeter security may not catch these attack vectors.

Implications for Data Protection

This incident highlights several critical issues in modern data protection:

Scale of Data Collection: The breach affects 72.7 million accounts, demonstrating how large customer databases become attractive targets. Companies collecting extensive personal information—including purchase history, location data, and demographic details—create valuable repositories for cybercriminals.

Ransomware Evolution: The shift from simple data encryption to double extortion (encryption plus data theft and public exposure) has changed the ransomware landscape. Even if companies have backups and can restore operations, the threat of public data leaks creates additional pressure to pay ransoms.

Supply Chain Risks: The Asus incident shows how breaches can occur through third-party vendors, making comprehensive security require visibility into the entire supply chain.

Insider Threats: The existence of insider recruitment programs indicates that human factors remain a significant vulnerability, requiring not just technical controls but also employee awareness and monitoring.

Compliance and Regulatory Context

While Under Armour has not acknowledged the breach, companies in similar situations face significant regulatory obligations. Depending on jurisdiction, data breach notification laws require companies to inform affected individuals and regulators within specific timeframes—often 72 hours in regions like the European Union under GDPR, or varying state-by-state requirements in the United States.

Failure to comply with notification requirements can result in substantial fines. For example, under GDPR, penalties can reach up to 4% of global annual revenue or €20 million, whichever is higher. Given Under Armour's global presence and the scale of the breach, regulatory scrutiny is likely to follow once the incident becomes public knowledge.

What Affected Customers Should Do

While Under Armour has not provided guidance, customers who believe they may be affected should consider:

1. Monitor accounts: Watch for suspicious activity in email accounts, financial accounts, and any accounts using the same credentials as Under Armour
2. Change passwords: Update passwords for any accounts that might use the same credentials as Under Armour
3. Enable two-factor authentication: Add an extra layer of security to important accounts
4. Be vigilant for phishing: Expect increased phishing attempts using the leaked personal information
5. Consider credit monitoring: Given the inclusion of personal details like dates of birth and location, credit monitoring services may be advisable

The Broader Pattern

This incident is part of a continuing trend of large-scale data breaches affecting consumer brands. The combination of valuable customer data, often collected through loyalty programs and e-commerce platforms, makes these organizations attractive targets. The Under Armour breach follows similar incidents at other major retailers and consumer brands in recent years.

The fact that the breach occurred in November 2025 but wasn't publicly confirmed until January 2026 through third-party monitoring services raises questions about breach detection and response timelines. Modern security frameworks emphasize rapid detection and response, but the gap between the alleged attack and public disclosure suggests potential delays in identifying the incident.

Conclusion

The alleged Under Armour breach represents a significant data security incident with far-reaching implications for consumer privacy and corporate responsibility. The scale—72.7 million accounts—makes it one of the larger breaches in recent years, and the company's silence complicates the situation for affected customers.

As the case develops, it will likely serve as another case study in the importance of comprehensive cybersecurity measures, timely breach notification, and the evolving tactics of ransomware groups like Everest. For the cybersecurity community, it underscores the need for continuous monitoring of threat actor activities and the importance of sharing breach information through platforms like Have I Been Pwned.

The incident also highlights the ongoing challenge of balancing data collection for business purposes with the security responsibilities that come with holding vast amounts of personal information. As regulatory frameworks continue to evolve and consumer expectations around data protection grow, companies will face increasing pressure to demonstrate robust security practices and transparent communication when incidents occur.