Under Armour, Hudson Bay, and Panera: 10 Lessons Learned from their Data Breaches

Posted by Joe Vigorito on Apr 9, 2018 3:37:25 PM

It has been a tough couple of weeks for the retail and restaurant industries. Under Armour, Panera, and Hudson Bay all came forward to announce major breaches of data entrusted to them. 

What can we learn from this continuing cavalcade of data breaches that we are becoming more and more inured to as time goes on? Let's take a closer look.

Under Armour

On March 29, Under Armour disclosed that 150 million MyFitnessPal users’ information, such as usernames, email addresses, and passwords, had been breached. This was possible using a hashing tool called bcrypt, one of the more current tools used in the industry today.

Under Armour came forward quickly and honestly, using both email and in-app messaging to disseminate the information to consumers. They instructed affected users to change their MyFitnessPal passwords, and make changes to any other accounts where they use the same password. But, they have yet to reveal exactly what other information was garnered in the attack, including photos, location data, and other health-related information the app tracks.

If this happened on May 25, 2018, rather than March 29, 2018, Under Armour would have come under the scrutiny of the EU Information Commissioner, who could claim violations under the General Data Protection Regulation (GDPR), which becomes enforceable on May 25.

The GDPR definition of personally identifiable data and “data subjects,” the people whose data is violated, are broader than previous regulations defined them. Under GDPR article 3(2) a, the regulation applies to every non-EU retailer that sells goods to people in the European Union, where any of the ample personally identifiable data sources are collected. I do not know how any retailer could process any transaction online without collecting such data.

Hudson Bay

Hudson Bay, the owners of iconic brands Saks Fifth Avenue and Lord & Taylor, was more reserved in the ownership of their breach. They announced on April 2 that the issue affected payment cardholders in some stores across North America, but did not reveal which ones specifically. Their leadership indicated steps were being taken “to contain the breach,” but gave little indication of what those specific steps were.

News outlets released that millions of cardholders have been affected. Hudson Bay has agreed to pay for those who sign up for a year of credit monitoring; a small solace since the dark web contains tens of millions of records for sale that are more than one year old. Attackers are patient people and will wait out credit monitoring. Hudson Bay is cooperating with law enforcement and the payment card companies.


Panera and its panerabread.com website revealed on April 2 by Krebsonsecurity.com, that it leaked millions of customer records. This includes: names, emails, physical addresses, birthdays, and the last four of cardholder credit cards.

News outlets cited that there were strong indications and an email chain suggesting Panera knew there was a problem eight months ago. In the email chain, the company acknowledged efforts to find a resolution, but data still leaked as recently as days ago. Note, they originally dismissed the security researcher’s notification to them in August 2017, as “a scam.” (see number 4 below).

Lessons Learned

Some points we speak to clients about all the time are:

  1. Have an incident response plan documented and tested. Know who to call in the first five minutes, five hours, and five days. Have a lead spokesperson, note I said spokesperson, not ten people. It should include contacting your security investigation partner, your cyberinsurer, your legal counsel, and your internal risk manager, at minimum.

  2. Consider classifying, then segmenting and isolating your data. Cardholder data covered under the Payment Card Industry Data Security Standards (PCI DSS) is NOT the same importance as copies of previous publicly available press releases. Put different security wrappers around them and treat one as having catastrophic consequences if lost, and the second as minor or insignificant.

  3. Have an accurate and up to date asset inventory. You cannot know what data had its confidentiality breached if you do not know what you had to start with.

  4. Act quickly, honestly, and with integrity. Being evasive, defensive, and dismissive is never effective.

  5. Engage your technical security team and your security partner immediately. If it is a false positive, be happy it was nothing more than that.

  6. Have your data owners available to work with you in your war room. Note, your data owners are almost never IT people. If you have a breach and expect only IT and cybersecurity personnel to handle every aspect of it, consider getting help forming a new plan. A data breach is a business problem.

  7. Do not call it a breach until it is confirmed as a breach. Call it an incident until then. Ask a member of our cybersecurity team or your legal counsel why.

  8. Know what regulations you comply with. More importantly, know what the notification requirements are for that regulation.

  9. Spend wisely. If you run a 7x24x365 e-commerce site, then do not expect the 8x5 Monday to Friday team to have complete visibility to threats and vulnerabilities. Get help in two forms. Managed security services have evolved greatly and now offer service levels that would be challenging to emulate with internal staff. Investigate your options. Second, consider doing a risk assessment now. If you have done one and do vulnerability assessments and penetration testing on regular intervals, perhaps quarterly or semi-annually. These assessments are baselined using long validated industry benchmarks like NIST and ISO.

  10. Test. Prepare. You will get attacked. You will have incidents. That does not mean you must have data breaches. Avoid being another headline or news story and build a business case for your senior leadership or board. Many are prepared to help you, you just need to take the first step.

[WEBINAR] 3 Steps to Combat Ransomware

April 12 | 12 p.m. (EDT)

ConvergeOne's industry experts will teach you three critical steps toward combating ransomware on our upcoming webinar. The team will showcase how recent ransomware attacks have become so successful at breaking down the barriers of even the largest organizations and what you can do to avoid becoming a victim.


Topics: Security