As if people trying to turn over a new leaf on health aren’t facing enough obstacles – that slice of cake, the newest Netflix show to binge watch, the distance between home and the gym – the latest hack attack shows that fitness enthusiasts aren’t even safe from cyber criminals pilfering their personal information.
Under Armour’s popular app MyFitnessPal was recently hacked and 150 million of its users had their usernames, email addresses and passwords collected. Compared to a shutdown of an entire city’s municipal services because of ransomware, or theft of payment card information from a popular online booking site, the exploitation of this type of information might seem easier to bounce back from, but that’s not the full story.
“There’s no financial account information or social security information, so it’s likely the cost of this incident will be much less severe than other breaches that we’ve seen,” said Rob Rosenzweig, national cyber practice leader for insurance brokerage Risk Strategies.
“However, using a similar line of thinking to the Yahoo incident that we saw a couple of years ago, it still necessitates a response. As you might imagine, for individuals who are using similar emails, password identifiers for various social media logins, this gives the criminals the data points that they need to further social engineer and harvest credentials, and gain access to more sensitive information.”
On the claims side, the sportswear manufacturer might incur costs associated with the forensic analysis and legal advice needed to figure out what their response obligations are and put a plan into action. The final bill will be less severe than if payment card information was at play because of fewer regulatory obligations with the data exposed in this breach, explained Rosenzweig, but the image of the company could be affected.
“Whether it’s warranted or not, there’s still potential for reputational damage as well as litigation from this incident, just the same as there would be if it was a payment card incident or healthcare information or any other sensitive data,” he added.
That doesn’t mean the image of Under Armour is fated for the gutter. It all goes back to how well the incident is handled, whether the company’s response is in line with regulations, and how quickly actions were taken when it became aware of the breach. After all, according to the national cyber team leader, the companies that have fared the best following a cyberattack were those that were transparent and had a fast response time.
In the case of Under Armour, Rosenzweig explained that a well-crafted cyber liability policy would cover the exposures faced in this incident, and the gaps that do exist are on the regulatory level.
“At this point now, all 50 states have breach response laws in place,” he told Insurance Business. “That being said, the majority of the breach response laws that are in place, I would describe as more reactive as opposed to proactive, in the sense that they detail what a company’s obligations are in the event that there has been a data security incident as opposed to outlining minimum security standards that businesses are expected to adhere to.”
Patching these holes is easier said than done, not just because it’s difficult to regulate employees inadvertently clicking on suspicious links when at work.
“There’s certainly a lot of moving parts, whether it be different expectations for different industry verticals based on what information they are likely to collect, whether it’s budget constraints for a small business versus a larger multinational enterprise,” he said. “It’s going to be a challenge for regulators to put something meaningful on the books that’s going to truly be one-size-fits-all.”