Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
Lawsuit Filed in Wake of Under Armour Data Breach
Company Asks Court to Compel ArbitrationA lawsuit seeking class action status has been filed in the aftermath of a data breach impacting 150 million users of Under Armour's MyFitnessPal mobile application and website.
See Also: Webinar | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR
But the apparel maker - pointing to the app's terms and conditions of use - has filed a motion for the court to compel arbitration of the case and to dismiss or stay the lawsuit.
The class action lawsuit comes in the wake of Under Armour disclosing in March that during February, an unauthorized party acquired data associated with the company's MyFitnessPal user accounts.
MyFitnessPal is a free smartphone app and website that enables users to track diet and exercise to help with weight loss.
Impacted Data
Maryland-based Under Armour had said in a statement in March that while exposed passwords were protected by the strong hashing algorithm bcrypt, other exposed information, including usernames and email addresses, was protected by easier-to-crack SHA-1 hashing.
The company said the breach did not impact government-issued identifiers - such as Social Security numbers and driver's license numbers - because it does not collect that information from users. The company also claimed that payment card data was not affected because it is collected and processed separately.
The lawsuit, however, says that Under Armour "also collects credit/debit numbers from its users in order for those users to access premium features of these websites and apps." It claims that "the plaintiff and class members now face years of constant surveillance of theft of financial and personal records, monitoring, and loss of rights ... and will continue to incur such damages in addition to any fraudulent credit and debit card charges incurred by them."
Allegations in Lawsuit
The plaintiff, MyFitnessPal user Rebecca Elizabeth Murray, make allegations against Under Armour that include breach of contract, negligence, invasion of privacy and violations of a number of California laws, including the state's unfair and deceptive business practice regulations.
In addition to seeking damages, the lawsuit seeks to have the court compel Under Armour to improve its consumer data collection and storage practices.
On May 29, Under Armour filed a motion asking a California U.S. district court for an order "compelling individual arbitration of plaintiff's claims and dismiss the action with prejudice or, in the alternative, staying this action pending the completion of individual arbitration proceedings."
Under Armour's motion "is made under the Federal Arbitration Act on the grounds that the plaintiff expressly agreed to arbitrate her claims with Under Armour on an individual basis when she agreed to Under Armour's 'Terms and Conditions of Use,'" court documents show.
What Will Happen?
Attorney Steven Teppler of the Abbott Law Group, who is not involved in the case, says the fate of the proposed class action lawsuit is difficult to predict due to a number of issues.
"Courts lean toward enforcing arbitration agreements, but California law might permit some way to evade enforcing the arbitration agreement," he says. The court may examine how the arbitration agreement clause was presented in the company's "terms and conditions" for using the MyFitnessPal app.
Questions the court could consider, Teppler says, include: Was the arbitration agreement hidden? How many clicks were required before a user consented?
Even if the lawsuit is compelled to arbitration, it's possible that one or more state attorneys general could decide to pursue a public policy lawsuit against Under Armour related to the data breach, Teppler says, because "state AG are not covered under an arbitration clause."
But if the court allows the case to proceed as a class action lawsuit, it would be among the largest data breach cases in terms of the number of victims impacted, Teppler notes.
Negligent Practices?
The suit alleges that the data breach was "a direct and proximate result of Under Armour's failure to properly safeguard and protect plaintiffs' and class members personally identifiable information from unauthorized access, use and disclosure."
Under Armour knew or should have known that its "data security, practices were inadequate to safeguard class members private identifiable Information and that ... a data breach or theft was highly likely," the complaint alleges.
A potential security issue in the case is whether Under Armour was, indeed, negligent or was exercising reasonable care to secure and safeguard consumers' information from being compromised, considering passwords were protected by strong bcrypt hashing, but other exposed information was only protected by SHA-1 hashing, which is considered easier to crack.
"If you have 12 doors, why would you put double locks on 11 doors, but then put an easily picked lock on the twelfth door?" Teppler asks. "Why would a company use a weaker security regime on protecting names and email addresses?"
The complaint alleges that as a result of Under Armour's practices, the victims of the breach "were injured and lost money or property, including but not limited to the loss of their legally protected interest in the confidentiality and privacy of their private identifiable information."
Teppler says the MyFitnessPal consumers' email addresses and usernames, if cracked, put individuals at risk for targeted phishing and social engineering scams, "especially if combined with other big data" that allows potential attackers to identify the victims. "At the very least, expect spam," he says.
Under Armour declined to comment on the case.