Under Armour Class Action, Company Failed to Protect Customer Data in 343 GB Breach

ByAll About Lawyer Reading Time: 6 minutes

Under Armour faces multiple class action lawsuits after the Everest ransomware group allegedly stole 343 gigabytes of customer and employee data in November 2025. Plaintiffs claim the athletic apparel company failed to implement reasonable security measures, leaving millions of customers’ personal information exposed on the dark web.

What Happened in the Under Armour Data Breach?

On November 16, 2025, the Everest ransomware gang posted claims on their dark web leak site alleging they had breached Under Armour’s systems. The group published sample data to prove their claims, including customer shopping histories, email addresses, phone numbers, purchase timestamps, product identifiers, prices, store preferences, and marketing campaign logs.

Everest issued a seven-day deadline for Under Armour to contact them via Tox messenger, warning that failure to respond would result in a full data release. Analysis of the leaked dataset indicates approximately 75 million unique email addresses were exposed.

Who Are the Plaintiffs?

Two separate class actions have been filed:

Ganesh v. Under Armour Inc.

  • Filed in U.S. District Court for the District of Maryland by plaintiff Orvin Ganesh
  • Case No. 1:25-cv-04106-MJM

Malone v. Under Armour Inc.

  • Filed by Maryland resident Milreace Malone, a former Under Armour employee
  • Different court from the Ganesh lawsuit

What Customer Data Was Compromised?

The breach allegedly exposed customer personally identifiable information including email addresses, phone numbers, physical locations, transaction data with purchase histories and preferences, and employee data including contact details, personnel files, and potentially passport information.

The 343 GB cache includes millions of customer records with deep-link tracking metadata, internal corporate data, marketing logs, and comprehensive product catalog information.

What Are the Legal Claims Against Under Armour?

Plaintiffs allege Under Armour is guilty of negligence, negligence per se, breach of implied contract, unjust enrichment, invasion of privacy, and seek declaratory judgment.

The lawsuits claim Under Armour:

  • Failed to implement and maintain reasonable safeguards
  • Failed to comply with industry-standard data security practices and laws governing data security
  • Failed to properly encrypt sensitive information
  • Failed to timely notify affected individuals about the data breach
Under Armour Class Action, Company Failed to Protect Customer Data in 343 GB Breach

What Evidence Supports the Allegations?

The complaint states that Federal Trade Commission guidelines advise businesses to properly dispose of personal information that is no longer needed, encrypt information stored on computer networks, understand their network’s vulnerabilities, and implement policies to correct security problems.

Court documents allege the compromised private information was unencrypted and unredacted. The lawsuit contends that Under Armour negligently failed to meet minimum standards in cybersecurity protection that may have made the incident largely preventable.

Under Armour’s Response

The lawsuit claims that Under Armour has not acknowledged the data breach or notified impacted individuals that their sensitive personal data has been exposed. The company has not issued any public disclosure about the breach.

What Does This Mean for Affected Customers?

As a result of the data breach, class members may experience diminished value of their privacy, exposure of private information, monetary losses, anxiety, and emotional distress.

Exposure of this information places affected individuals at risk of identity theft, phishing attacks, and fraud.

The present and continuing risk of identity theft and fraud to victims of the data breach will remain for years, as hackers targeted the information specifically for its value in exploiting and stealing identities.

How Does a Data Breach Class Action Work?

The plaintiffs seek to represent a nationwide class of individuals whose personally identifiable information was compromised in the breach. The class action looks to cover all United States residents whose private information was accessed or obtained by an unauthorized party as a result of the November 2025 data breach.

Class members typically don’t need to take action to join when lawsuits are initially filed. If the case results in a settlement, affected individuals may receive:

  • Compensation for documented losses
  • Free credit monitoring services
  • Reimbursement for time spent on mitigation efforts

Recent Developments in Data Breach Litigation 2025

The Under Armour case reflects broader trends in corporate data breach accountability. Class certification success rates rose to 40% in 2024, driven by courts recognizing emotional distress as harm.

In December 2025, the FTC took action against Illuminate Education for data security failures that led to a breach affecting 10 million students, requiring the company to implement a comprehensive information security program.

The FTC has warned that compliance with data breach notification laws might not be enough, stating that failure to timely notify parties of a breach may constitute an unfair trade practice where that failure increases the likelihood of harm.

Who Is the Everest Ransomware Group?

Active since at least December 2020, Everest has evolved from data extortion and ransomware operations to increasingly acting as an Initial Access Broker. The Russia-linked group uses double-extortion tactics: stealing data, then threatening to leak it if ransom demands aren’t met.

Previous victims include AT&T’s carrier website with over 500,000 users’ data, 1.5 million Dublin Airport passenger records, and internal Coca-Cola employee data.

What Should Affected Customers Do?

If you’re an Under Armour customer who may have been affected:

  1. Change your passwords immediately, especially if you used the same password across multiple accounts
  2. Enable two-factor authentication on all accounts
  3. Monitor your accounts for unauthorized activity
  4. Watch for phishing emails disguised as breach notifications
  5. Consider credit monitoring services
  6. Place a credit freeze if you’re concerned about identity theft

FAQ: Under Armour Data Breach Class Action

Q: Has Under Armour confirmed the breach? 

As of late 2025, Under Armour has not publicly confirmed how large the leak is, though Everest has claimed responsibility and released sample data.

Q: Do I need to do anything to join the class action? 

Usually nothing is required to join when lawsuits are initially filed. If there’s a settlement, you’ll be notified about how to file a claim.

Q: What compensation might class members receive?

 Typical data breach settlements include reimbursement for documented losses up to $5,000 per claimant and free credit monitoring valued at $300-$500 per year.

Q: How long will this case take?

 Data breach class actions typically take 1-3 years to resolve, depending on whether the case settles or goes to trial.

Q: What makes this breach different from others?

 This breach is notable for the sheer volume of data (343 GB), the inclusion of employee passport information, and the exposure of detailed marketing and commercial intelligence.

Q: Can Under Armour be held liable under federal law?

 The FTC Act requires reasonable security measures, and violations can lead to injunctions and fines. The lawsuits cite multiple legal theories including state consumer protection laws.

What This Means for Corporate Data Protection

The Under Armour breach represents a concerning escalation, as cybersecurity analysts emphasize that ransomware groups increasingly prioritize data intelligence extraction over traditional encryption-based extortion.

The inclusion of passport details and transaction logs represents a particularly concerning development, as such data enables targeted fraud and identity theft schemes against both customers and employees.

For companies, this case underscores the importance of:

  • Implementing encryption for sensitive data
  • Maintaining up-to-date security protocols
  • Conducting regular vulnerability assessments
  • Having incident response plans ready
  • Providing timely breach notifications

Legal Representation

The plaintiff in the Ganesh case is represented by Jason S. Rathod of Migliaccio & Rathod LLP and Beena M. McDonald, Alex M. Kashurba and Holly E. Jones of Chimicles Schwartz Kriner & Donaldson-Smith LLP.

This article is for informational purposes only and does not constitute legal advice. If you believe you were affected by the Under Armour data breach, consult with a qualified attorney about your rights and options.

About the Author

Sarah Klein, JD

Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah

Leave a Reply

Your email address will not be published. Required fields are marked *