Lesson Content

Welcome to lesson one point one: Anatomy of the Under Armour Data Breach. In November 2025, sporting goods manufacturer Under Armour fell victim to one of the year's most significant retail data breaches, with the Everest ransomware gang allegedly stealing seventy-two point seven million customer records. This incident provides crucial insights into modern ransomware tactics and the devastating impact of inadequate cybersecurity controls. Let us begin by examining the technical details of this attack. The Everest ransomware gang executed what security experts call a double extortion attack. This means they not only encrypted Under Armour's systems but also exfiltrated approximately three hundred and forty-three gigabytes of sensitive data. The stolen information included customer names, email addresses, dates of birth, gender information, approximate geographic locations based on postcodes, and detailed purchase histories. Importantly, the breach also exposed employee email addresses, creating additional insider threat risks. Everest's attack methodology follows a predictable pattern that organisations must understand. The gang typically gains initial access through several common vectors. First, they target internet-facing RDP servers that lack multi-factor authentication. Second, they exploit unpatched VPN servers. Third, they purchase compromised credentials from access brokers on the dark web. Most concerning is their fourth method: Everest launched an employee incentivisation programme in late 2023, offering cash payments or profit-sharing arrangements to employees who provide network access credentials. Once inside Under Armour's network, the attackers demonstrated the rapid lateral movement characteristic of sophisticated threat actors. They installed remote access tools including AnyDesk, Splashtop, and Atera to maintain persistent access. These legitimate remote administration tools are particularly dangerous because they blend in with normal business operations, making detection challenging. The attackers then conducted careful reconnaissance, mapping the network to identify high-value data repositories. Using the MITRE ATT&CK framework, we can map Everest's tactics across the attack lifecycle. For initial access, they employed trusted relationship exploitation or phishing techniques. They established persistence through remote access software installation. They achieved exfiltration through automated data collection processes. Finally, they created impact through data encryption and extortion demands. The timeline of this incident reveals critical response failures. The attack occurred in November 2025, but Under Armour's response was notably delayed and incomplete. Everest added Under Armour to their leak site, threatening data release unless ransom demands were met within seven days. When Under Armour presumably refused payment, the attackers posted the stolen data files to cybercrime forums in January 2026. The breach only became widely known when Have I Been Pwned, a breach notification service, ingested and published the data on January twenty-first, 2026. The business impact of this breach extends far beyond immediate technical disruption. Under Armour faces a class action lawsuit alleging negligence in data protection and delayed customer notification. The company's reputation suffered significantly due to contradictory public statements. Whilst claiming that implications of tens of millions of compromised records were unfounded, they simultaneously acknowledged that seventy-two million records were indeed exposed. This credibility gap demonstrates the importance of transparent, consistent crisis communication. Troy Hunt, CEO of Have I Been Pwned, highlighted the unusual nature of Under Armour's response, noting the lack of an official disclosure statement despite the organisation's size, the breach scale, and the time elapsed since the incident. This communication failure compounds reputational damage and potentially violates regulatory notification requirements. The customer impact creates substantial secondary attack risks. Cybersecurity experts warn that stolen personal data enables well-crafted follow-up attacks. Criminals can use the combination of names, birth dates, email addresses, geographic locations, and purchase histories to create convincing phishing campaigns. These attacks might impersonate Under Armour communications to extract additional sensitive information, particularly financial details. From a regulatory perspective, this breach triggers multiple compliance obligations. Under GDPR, Under Armour must notify supervisory authorities within seventy-two hours of breach awareness and inform affected individuals without undue delay if high risk exists to their rights and freedoms. Potential fines reach up to four per cent of global annual turnover or twenty million euros, whichever is greater. In the United States, various state breach notification laws apply, including California's CCPA, which requires notification within forty-five days and imposes fines up to seven thousand five hundred dollars per intentional violation. The preventive controls that could have mitigated this attack are well-established but often inadequately implemented. Multi-factor authentication on all internet-facing systems, particularly RDP servers, would have blocked Everest's primary attack vector. Comprehensive patch management for VPN servers and other internet-facing infrastructure eliminates the vulnerabilities these attackers routinely exploit. Complete software and user inventories enable detection of unauthorised remote access tools and compromised accounts. Network segmentation could have limited the attackers' ability to exfiltrate three hundred and forty-three gigabytes of data after initial compromise. Data loss prevention solutions should detect such massive exfiltration events through network traffic analysis. Endpoint detection and response tools would identify the installation of remote access software and unusual process execution patterns. The detection opportunities in this case were numerous but apparently missed. Large data exfiltration events generate significant network traffic that properly configured monitoring systems should flag. The installation of remote access tools like AnyDesk, Splashtop, and Atera represents clear indicators of compromise that endpoint security solutions should detect. Unusual RDP login attempts from unfamiliar geographic locations should trigger security alerts. Mass file access patterns preceding data exfiltration typically show distinctive signatures that behaviour analytics can identify. Everest's evolution as a threat actor illustrates broader ransomware trends. Operating since December 2020, they shifted from simple encryption attacks to double extortion by 2021, then expanded into initial access brokerage and insider recruitment. Their business model demonstrates how ransomware has industrialised, with specialised roles for initial access, lateral movement, data exfiltration, and negotiation. The retail industry remains particularly vulnerable to these attacks due to several factors. High-profile retail brands can pay substantial ransoms, making them attractive targets. Customer databases contain valuable personal information for follow-on fraud schemes. Many retail organisations maintain legacy systems with inadequate security controls. The seasonal nature of retail business creates pressure to maintain system availability, potentially leading to ransom payments rather than lengthy recovery processes. Under Armour's case demonstrates that even large, well-resourced organisations can fall victim to preventable attacks when fundamental security controls are inadequately implemented. The attack succeeded not through sophisticated zero-day exploits but through common vectors that established security practices should address. Looking forward, organisations must recognise that ransomware threats continue evolving. Threat actors increasingly target supply chain partners, use artificial intelligence to enhance attack effectiveness, and employ triple extortion tactics that threaten customers directly. However, the fundamental preventive controls remain consistent: multi-factor authentication, comprehensive patching, network segmentation, endpoint protection, and continuous monitoring. The Under Armour incident serves as a stark reminder that cybersecurity is not merely a technical challenge but a business imperative affecting customer trust, regulatory compliance, financial stability, and competitive position. Organisations that treat cybersecurity as an afterthought rather than a core business function do so at their peril. In our next lesson, we will examine how to conduct a comprehensive security risk assessment to identify and prioritise the vulnerabilities that attackers like Everest routinely exploit.

Assessment Questions

Question 1

What was the primary initial access vector that the Everest ransomware gang typically exploits according to the Under Armour case study?

1. Internet-facing RDP servers without multi-factor authentication
2. SQL injection attacks on web applications
3. Zero-day vulnerabilities in operating systems
4. Physical access to data centres

Question 2

How much data did the Everest ransomware gang allegedly exfiltrate from Under Armour?

1. 72 million records
2. 343 gigabytes
3. Both 72 million records and 343 gigabytes
4. 500 terabytes

Question 3

Under GDPR regulations, what is the maximum timeframe for notifying supervisory authorities about a data breach?

1. 24 hours
2. 48 hours
3. 72 hours
4. 7 days

Question 4

Which of the following remote access tools were specifically mentioned as being used by the Everest ransomware gang?

1. TeamViewer, Chrome Remote Desktop, and VNC
2. AnyDesk, Splashtop, and Atera
3. LogMeIn, GoToMyPC, and RemotePC
4. Windows RDP, SSH, and Telnet

Question 5

What type of attack methodology did Everest employ against Under Armour?

1. Single extortion with system encryption only
2. Triple extortion with customer threats
3. Double extortion with data theft and encryption
4. Supply chain attack through third-party vendors