Within days of realizing a data breach incident had occurred, Under Armour, Inc.—the owner of the popular calorie counting application, MyFitnessPal—began notifying its users of the breach that impacted approximately 150 million user accounts.  According to the data breach notice, the MyFitnessPal team learned on March 25 that an unauthorized party acquired data associated with MyFitnessPal user accounts.  The affected information included user names, email addresses, and passwords, but users' payment card data remained secure since that information is collected and processed separately by MyFitnessPal.

In response to the data breach, MyFitnessPal immediately began taking steps to protect the MyFitnessPal community, including:

  1. Providing users with information on how they can protect their data;
  2. Requiring users to change their passwords and urging them to do so immediately;
  3. Monitoring accounts for suspicious activity and coordinating the company's efforts with law enforcement authorities; and
  4. Continuing to make enhancements to their systems to detect and prevent unauthorized access to user information.

MyFitnessPal also instructed users to change their passwords for other accounts that use the same or similar information as their MyFitnessPal accounts and to monitor all accounts for suspicious activity. It is currently unknown who is responsible for the data breach. However, Under Armour has made it clear that the investigation into the matter remains ongoing.

Under Armour has already earned high marks for its quick response to the data breach, which in large part can likely be attributed to a well-oiled Incident Response Plan that had been tested through tabletop exercises.  This should serve as a reminder that companies are no longer being judged on whether a data incident occurs but rather on how they respond to such incidents—with timeliness being a key component.

The Troutman Sanders' Consumer Financial Services Law Monitor blog offers timely updates regarding the financial services industry to inform you of recent changes in the law, upcoming regulatory deadlines and significant judicial opinions that may impact your business. To view the blog, click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.