Under Armour’s $5.2 Billion Negligence: Your Data is For Sale
The Non-Financial Ledger
Corporate balance sheets measure profit and loss in dollars. They have no column for stolen peace of mind. They cannot quantify the dread that settles in your gut when you learn your personal data, the digital extension of yourself, is now a commodity for criminals. The class-action complaint filed against Under Armour itemizes the theft of data. What it describes is the theft of security, a fundamental human need. For plaintiff Milreace Malone, a former employee, and millions of others, the company’s alleged negligence has imposed a life sentence of constant vigilance.
Every strange email, every suspicious text, every unknown phone call is now a potential threat. The background hum of daily life is now punctuated by spikes of anxiety. Is this a phishing attempt using my stolen data? Is someone trying to open a line of credit in my name? This is the mental tax levied on victims of corporate carelessness. The lawsuit notes Malone has suffered “fear, anxiety, and stress,” a burden compounded by the corporation’s silence. While executives calculated the cost of a public relations response, real people were left to grapple with the fallout alone, their trust in a global brand shattered.
The complaint details the “lost time and opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach.” This is the clinical language for hours stolen from your life. Hours spent on the phone with banks, scrolling through credit reports, changing passwords, and researching how to protect yourself from a threat that should never have existed. This time is unrecoverable. It is time that could have been spent with family, on creative pursuits, or simply at rest. Under Armourβs failure to invest in basic security measures like encryption transferred a debt of time and energy directly onto the people whose data fueled its $5.2 billion revenue stream.
This is a story of profound betrayal. Customers and employees provide their information with a reasonable expectation of stewardship. Under Armour’s own privacy policy, cited in the lawsuit, promises “appropriate technical and organizational safeguards.” This was the bedrock of the agreement. The allegation that this data was left unencrypted is an allegation of a fundamental promise broken. It suggests a corporate culture that prioritized profit margins over the privacy and safety of the human beings it relies on for its existence. The data was an asset to be monetized, but its protection was merely an expense to be minimized.
The ransomware group Everest didn’t just steal data; they stole the feeling of safety in a digital world. The countdown timer they placed on their dark web site is a public clock ticking down on the lives of millions. Under Armour’s alleged failure to protect its systems, and its subsequent failure to warn its community, turned its customers and employees into unwilling participants in a hostage negotiation. The non-financial ledger shows a staggering deficit: a catastrophic loss of trust, a permanent state of anxiety, and the quiet, grinding theft of personal time, all written off in the name of corporate profit.
Societal Impact Mapping
Environmental Degradation
The digital economy runs on a massive, physical infrastructure of servers, cooling systems, and fiber optic cables that consume enormous amounts of energy. Every byte of data a company like Under Armour collects and stores has a carbon footprint. The lawsuit alleges that the company retained data “for at least many years and even after the company relationship has ended.” This practice of indefinite data hoarding, common across the corporate world, contributes directly to the environmental burden of data centers, many of which are still powered by fossil fuels.
Negligence exacerbates this problem. Failing to implement “appropriate clearinghouse practices to remove” data that is no longer needed means that servers spin and air conditioners run to maintain vast archives of information that serve no legitimate business purpose. This digital landfill creates an attack surface for hackers and simultaneously wastes energy. A secure, responsible data policy is also an environmental one. By treating data as a permanent asset instead of a temporary trust, corporations like Under Armour contribute to a cycle of unnecessary energy consumption and electronic waste, externalizing the environmental costs just as they externalize the security risks onto their customers.
Public Health
The public health consequences of a massive data breach are severe and long-lasting, inflicting a form of chronic psychological distress on the population. The lawsuit explicitly states that the data breach caused the plaintiff to “suffer fear, anxiety, and stress.” This is not a fleeting inconvenience. For millions of victims, this event triggers a prolonged state of hyper-vigilance. The knowledge that one’s personal information is in criminal hands is a persistent, low-grade trauma that can exacerbate existing mental health conditions and create new ones. The U.S. Government Accountability Office, cited in the complaint, notes that victims face “substantial costs and time to repair the damage to their good name and credit record,” a process that is itself a significant source of stress.
This psychological burden has tangible physical health effects. Chronic stress is linked to a host of medical problems, including hypertension, heart disease, and a weakened immune system. By allegedly failing to implement basic security measures, Under Armour’s negligence becomes a vector for public harm. The company’s inaction has created a widespread health crisis in miniature, imposing real, measurable stress on millions of people who must now live with the “continued and certainly increased risk to their Private Information” for the rest of their lives. This is a direct transfer of corporate risk onto the physical and mental well-being of the public.
Economic Inequality
Data breaches are a powerful engine of economic inequality. A corporation like Under Armour, with $5.2 billion in revenue, possesses immense resources. Its customers and employees do not. The lawsuit’s claim for “Unjust Enrichment” cuts to the heart of this disparity. It alleges Under Armour “enriched itself by saving the costs it reasonably should have expended on data security measures,” choosing to “increase its own profit at the expense of Plaintiff and Class Members.” This is a classic case of privatizing gains and socializing losses.
When the breach occurs, the economic burden shifts entirely to the victims. They bear the cost of “lost time and opportunity” trying to secure their finances. They may have to pay for credit monitoring services. If they become victims of identity theft, they can face devastating financial ruin that takes years to undo. The people least able to afford this burden are often the most affected. A fraudulent charge or a frozen bank account can be a catastrophe for a working-class family. For the corporation, a data breach is a manageable business expense; for an individual, it can be an economic death sentence. This systemically transfers wealth upwards, from the pockets of ordinary people into the profit margins of corporations that refuse to pay the cost of doing business responsibly.
$5.2 Billion
Annual Revenue Built on Data They Allegedly Left Unencrypted
Legal Receipts
The following are direct statements and quotes from the Class Action Complaint, Case 1:25-cv-03857-EA, filed in the United States District Court for the District of Maryland. This is the evidence.
Everest published on its dark web leak site that it stole 343 GB of internal company data, employee information, along with personal data of millions from various countries. Everest also published sample data to prove the authenticity of their claims. Everest has issued a demand to Defendant to make contact with Everest within seven days, and Everest has published a countdown timer until βtime runs outβ.
To date, Defendant has yet to issue any public disclosure about the Data Breach.
Defendant failed to adequately protect Plaintiffβs and Class Membersβ Private Informationββand failed to even encrypt or redact this highly sensitive information. This unencrypted, unredacted Private Information was compromised due to Defendantβs negligent and/or careless acts and omissions and their utter failure to protect Plaintiffβs and Class Membersβ sensitive data.
From Under Armour’s own Privacy Policy: βWe implement appropriate technical and organizational safeguards to protect against unauthorized or unlawful processing of personal data and against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.β
Plaintiff and Class Members have suffered injury as a result of Defendantβs conduct. These injuries include: (i) invasion of privacy; (ii) theft of their Private Information; (iii) lost or diminished value of Private Information; (iv) lost time and opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach; … and (viii) the continued and certainly increased risk to their Private Information…
Quoting the U.S. Government Accountability Office: β[L]aw enforcement officials told us that in some cases, stolen data may be held for up to a year or more before being used to commit identity theft. Further, once stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years.β
Defendant enriched itself by saving the costs it reasonably should have expended on data security measures to secure Plaintiffβs and Class Membersβ Personal Information. Instead of providing a reasonable level of security that would have prevented the hacking incident, Defendant instead calculated to increase its own profit at the expense of Plaintiff and Class Members by utilizing cheaper, ineffective security measures and diverting those funds to its own profit.
What Now?
The individuals whose data was allegedly left exposed are now combatants in a war they did not choose. While the legal system slowly grinds forward, the risk is immediate. The following entities bear responsibility and require public pressure.
Corporate Roles Under Scrutiny
While specific executive names are not in this legal filing, the responsibility for this catastrophic failure rests with the highest levels of corporate leadership.
- Chief Executive Officer
- Chief Technology Officer
- Chief Information Security Officer
- The Board of Directors
Regulatory Watchlist
These government bodies have the power to investigate and penalize corporate negligence on a scale that forces change. They are the public’s primary defense against corporate malfeasance.
Federal Trade Commission (FTC)
The lawsuit cites Section 5 of the FTC Act, which prohibits “unfair… practices” like failing to secure consumer data. The FTC is the lead agency for punishing this behavior.
Department of Justice (DOJ)
For large-scale breaches with significant criminal components, the DOJ can bring charges and investigate the full scope of corporate recklessness.
State Attorneys General
Every state has consumer protection laws. State AGs can launch their own investigations and file suits on behalf of their residents, adding immense pressure on the company.
The Resistance
Waiting for corporate or government action is not enough. Power is built from the ground up. Support data privacy advocacy groups fighting for stronger laws and corporate accountability. Share this story to pierce the corporate silence. Engage in local organizing and mutual aid networks that help people who have become victims of identity theft. The corporation views your data as a line item on a spreadsheet. We must treat its protection as a non-negotiable right and fight back when that right is violated.
The source document for this investigation is attached below.
Explore by category
Product Safety Violations
When companies sell dangerous goods, consumers pay the price.
View Cases →Financial Fraud & Corruption
Lies, scams, and executive impunity that distort markets.
View Cases →Related posts:
35,000 people had their personal data leaked including social security numbers, drivers license details, and health insurance info | CSC ServiceWorks
LinkedIn exposed your private messages to train AI models
How SpyFone Built a Business on Stalking and Domestic Abuse.
167,000 Ruger Owners Had Their Private Data Exposed
