Security expert comment on UnderArmour fitness app data breach, 150 million users

Following the news from Under Armour that the company’s MyFitnessPal tracking app was hacked, exposing data of 150 million user accounts, Gabriel Gumbs, VP of product strategy for cybersecurity firm STEALTHbits Technologies, commented:

“Under Armour claims that no government-issued identifiers were exposed in this breach. If this breach occurred 57 days from today, when GDPR enforcement begins, the EU’s Information Commissioner’s Office would draw no distinction as to whether the identifying data was government-issued or not.

You see, GDPR defines ‘personal data’ to mean “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly…”. This is where the privacy rubber meets the proverbial security road.

This breach would still expose Under Armour to the Commissioner’s office scrutiny. Because of the way GDPR defines identifiable information, there is possibly other information in this breach that would also run afoul of GDPR without having to be government-issued. For example, if the MyFitnessPal mobile app collected a phones IMEI number that too would be identifiable data. With less than 60 days to enforcement, companies really should be in full sprint to ensure they are prepared for GDPR.”