Under Armour Risk Management Failure:
Data Breach Affects 150 Million MyFitnessPal App Users

Steven Minsky | April 2, 2018

On March 29, 2018, Under Armour announced that the data of over 150 million users of the MyFitnessPal diet and fitness app was exposed in February of this year.

User data included usernames, emails, and passwords. The company put a PR spin on the breach by disclosing that government-issued identifiers like Social Security and driver’s license numbers, as well as credit-card information, weren’t compromised. In an email to MyFitnessPal users, Under Armour emphasized the affected passwords were “hashed passwords – the majority with the hashing function called bcrypt used to secure passwords.”

That sounds nice, right? Under Armour does not collect government identifiers, like Social Security numbers and driver’s license numbers. Therefore no regulations were violated. Unfortunately, that’s not the problem. Under Armour’s reputation is taking a hit, as customers and investors feel their trust has been broken. As a result, shares of Under Armour dropped over 4 percent.

We’re in the see-through economy—an incredibly fast-paced age of transparency where consumers and investors are empowered through interconnectivity and technology to impact a company’s reputation. Customers and investors see the truth: a security breach is a reputational issue as much as a data security issue.

When a company’s brand does not meet the expectations of privacy and accountability, their users are more likely to choose an alternative product to make a statement, and investors are more likely to sell their shares in that company.

This is where the trend of Environmental, Social, and Governance (ESG) investing runs parallel to the see-through economy and ESG software can help. ESG investors are sending a message that they’re tired of negligence and the mishandling of corporate scandals and negligence. Already, shareholders are speaking up about their expectations not being met in a corporation’s risk management program.

An effective ERM program proves to ESG investors that a company takes those expectations seriously. A study by Queens University has proven that companies that implement a comprehensive ERM program see a 25% increase in market value.

Data breaches like the one experienced by Under Armour are failures in risk management and are entirely preventable. The underlying issues behind these failures are typically buried deep in the operations of the company, often known by supervisors and mid-level managers for months or even several years ahead of time. The problem is that the root-cause of these incidents often cannot be identified by these individuals, who do not have the means to connect with employees across the silos of their work groups to understand how related risks transpire in other areas of the business. This means systemic risks aren’t addressed, and managers aren’t able to engage the right resources to fix the heart of the problem.

These days, companies seem to be in constant fear of the see-through economy. We find our customers embrace it. Companies can use enterprise risk management to empower employees and make everyone a process improvement specialist. Instead of treating these incidents, such as the one Under Armour is dealing with, as reactive one-off events, companies should be using ERM’s risk-based approach to identify and address the root-causes of their concerns.

If you’re an Under Armour customer and re-use your password from their MyFitnessPal site anywhere else, you need to change it right away. Many people reuse passwords for their bank and credit card accounts, as well as for work logins for sensitive information.

Data breaches where user information like usernames and passwords are, to some degree, more insidious to consumers than hacks where credit card data is stolen. Credit card breaches are taken care of by banks on their customers’ behalf. Information like usernames and passwords can be used to impersonate an individual. Impersonation risk should be a priority for every company.

Take these steps to implement a risk-based approach:

Protect your personal reputation: Sign-up for a comprehensive monitoring service that not only protects your credit but monitors your online social media accounts for suspicious activity. Employees are sometimes held accountable for what is posted on their social media accounts.

Protect your business information: Employers need to offer employees comprehensive monitoring services as part of a basic benefits package alongside health and dental coverage. If an employee is falsely impersonated at work, the company is fully exposed. Employers also should offer password vault software to help employees not reuse their passwords.

Effective risk management: Having insurance and password vaults doesn’t mean employees are actually using them. Employees are already doing all they can to support customers and achieve their goals. It can be difficult for even the very best employees to make the connection between a personal breach and a possible work impact. With their busy schedules, it can be a real challenge to take the needed action at home and work to respond. Everyone needs a helping hand. Studies show that only 20% of employees will proactively use these services without a company policy and support of an ERM oversight system that helps them through reminders. This is where risk management brings effectiveness up from 20% to 100%. Risk assessments show what assets are a priority and which employees have access to them. Recurring tasks help security personnel ensure policies are being followed, and connect directly with those employees who need assistance. Without risk management to connect the dots, those with the ability to make a change don’t know who to help, and 80% of front-line employees don’t ask for help.

These are just a few of the ways that enterprise risk management can protect consumers and businesses.