Under Armour hit by ransomware, hackers claim “millions of personal data”

Published: 17 November 2025
Last updated: 17 November 2025
Under Armour footwear
Image by 2p2play

Under Armour, the global activewear and footwear brand, is claimed by the Everest ransomware group along with “millions of personal data” belonging to clients, as well as a cache of internal company documents.

Key takeaways:
  • Everest ransomware claims Under Armour hack, threatening "millions" of customer records and 343GB of internal documents.
  • Customer data exposed contains PII, detailed purchase histories, and employee data spanning multiple countries.
  • The group's high-profile victims include Collins Aerospace, BMW, and Coca-Cola Middle East, with more than 250 targets claimed since 2023.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.

The popular active and footwear brand and retail chain appeared on the ransomware groups' dark leak blog on Monday.

ADVERTISEMENT

“The leak of your internal company documents contains a huge variety of personal documents and information of clients and employess [sic],” Everest wrote.

The group further touts explicitly to have exfiltrated “More than millions of personal data from different countries,” plus another “343 GB of internal company data” from an “UNDER ARMOUR DataBase.”

Cybernews has contacted Under Armour's corporate offices and is awaiting a response.

Everest Under Armour post
Everest leak site. Image by Cybernews.

Founded in 1996 by former University of Maryland football player Kevin Plank, Under Armour manufactures its own men's, women's, and children's performance wear, which is sold in about 15,000 branded retail stores worldwide to millions of customers.

The company has dual headquarters in Baltimore and Amsterdam, with additional offices in Denver, Hong Kong, Toronto, and Guangzhou, China, and approximately 1,400 employees, according to a company fact sheet.

Its annual revenue in 2025 is listed at $5.1 billion, although the brand has reportedly struggled since the COVID-19 pandemic, resulting in a corporate restructuring announcement just last week.

Breakdown of data claimed

ADVERTISEMENT

Everest has posted a deadline clock, giving Under Armour instructions to listen to a pre-recorded message, which will disappear when the countdown runs out.

"A company representative should contact us before time runs out," the group says. As of Monday afternoon, there are a little over seven days left on the clock.

The database schema samples list a plethora of personal information belonging to customers, including User IDs, email addresses, and purchase transactions, such as the date of purchase, items purchased, item prices, quantities, shipping statuses, and whether items were returned.

Email subscribers also had their genders, country of origin, and home addresses collected in the database.

Everest Under Armour clock
Everest leak site. Image by Cybernews.

Although Cybernews did not see any credit card information, the type of currency used was listed as part of the database info collected.

Personal information about employees contained similar identifiable information, including work and personal email addresses, home addresses, work locations, and teams they worked with.

The detailed information in the Under Armour database, if leaked on the dark web or to other cybercriminal groups, could provide numerous opportunities for targeted social engineering attacks, as well as identity theft, putting tens of thousands of customers and employees at risk.

Everest group's victim list grows

According to Cybernews’ dark web monitoring tool, Ransomlooker, Everest has more than 250 victims on its dark blog since 2023, with over 100 victims in the past 12 months, making it a growing force among the ransomware underworld.

ADVERTISEMENT

Last week, the Russian-leaning gang alleged to have stolen 159GB of data from one of Italy’s largest industrial gas producers, the SAID Group.

Everest group Nov 2025

In October, it claimed responsibility for an attack on Collins Aerospace and its MUSE check-in software, used for check-ins and passenger management at airports across Europe, causing travel chaos for several days.

Later, the gang threatened to release passenger data from Dublin Airport, eventually leaking Collin Aerospace data after ransom demand negotiations apparently failed.

In late September, the gang claimed BMW as a victim. It also claimed that it breached a subsidiary of Germany's second-largest bank, DZ Bank, and threatened to release stolen data. However, the bank denied that any such attack had taken place.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Google News Follow us

Other notable attacks include a spate of attacks targeting the Middle East, including Coca-Cola’s Middle East division, the Abu Dhabi Department of Culture and Tourism, and the Jordan Kuwait Bank (JKB).

The gang has also targeted US-based Pacific HealthWorks, the North American gourmet cookie shop chain Crumbl, email marketing behemoth Mailchimp, and the US hotel chain Radisson Country Inn and Suites.

The financially motivated hacker cartel is believed to be connected to the BlackByte ransomware group.

ADVERTISEMENT

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked