Hackers publish data from a late-2025 breach after ransom demands were ignored by a firm which subsequently failed in crisis-response diligence.
In late 2025, the Everest ransomware group infiltrated systems at Under Armour and extracted around 343GB of sensitive information. The attackers had demanded payment with a strict seven-day window, threatening to publish the material if ransom demands were unmet.
When the firm did not comply, a user known as “thelastwhitehat” shared a 19.5GB archive containing over 191m entries on a cybercrime forum on 18 January 2026. The release featured about 72.7m unique customer and employee email addresses, paired with details such as first names, birthdates, genders, postcodes, store preferences, and buying patterns from various internal panels.
Although 76% of those emails had surfaced in earlier incidents, the added context on transactions and locations heightens vulnerability to customized scams. Services such as Have I Been Pwned have quickly incorporated the files, alerting users to check their status.
Experts highlight the peril of such targeted fraud, where criminals could mimic official promotions using real order specifics to deceive recipients. The dataset’s depth, including marketing logs and behavioral notes, enables sophisticated social engineering long after the event fades from headlines.
Under Armour reportedly stayed silent throughout. No breach notice was ever sent out to those impacted, and the organization had ignored press inquiries following the initial claim and leak, according to one report.
Legal pushback has emerged swiftly, with Maryland plaintiff Orvin Ganesh launching a federal class action charging negligence in data handling, including unencrypted storage. Another suit from Chimicles Schwartz Kriner & Donaldson-Smith echoes claims of violated privacy rules and inadequate protections for U.S. residents affected, according to this report. The accused firm has so far not issued any public responses to the litigations.
The episode underscores persistent retail cybersecurity and cyber-crisis response gaps, especially amid rising ransomware tactics. Affected parties are advised to update credentials, activate multifactor authentication, and watch for suspicious outreach.
