Data breaches strike CareFirst and Under Armour

One day after Under Armour notified users of a security breach of one of its fitness apps, CareFirst BlueCross BlueShield said Friday it was victimized by another sort of computer attack — an email “phishing” scheme.

CareFirst, the state’s largest insurer, said the attack could have exposed the personal information of 6,800 of its members. The information that may have been compromised included names, member identification numbers and dates of birth. In eight cases, social security numbers could have been taken, but no medical or financial information was compromised.


Word of the CareFirst exposure follows Under Armour’s announcement that 150 million users of its MyFitnessPal food and nutrition app and website were affected by a breach, making the Baltimore-based health insurance company and athletic apparel brand the latest victims of hacker attacks against corporations and municipalities.

The City of Baltimore discovered a so-called ransomware attack that breached and shut down its automated 911 dispatch system on Sunday, the same day Under Armour said it learned of the MyFitnessPal breach.


The affected MyFitnessPal data included user names, email addresses and passwords protected by an encryption algorithm called bcrypt.

Computer security experts said Friday that the data affected by the Under Armour breach appeared “relatively innocuous,” although they said the hack should serve as a reminder to use unpredictable passwords.

“Under Armour under the circumstances is doing everything they should be doing,” said Joseph Carrigan, senior security engineer at the Johns Hopkins Whiting School of Engineering.

“They’ve used a very good encryption algorithm, but it’s the users’ responsibility to pick a good password. If you have a common password — one used by many people — you can assume people who got this data already know your password,” Carrigan said.

The risk is someone could use your user name and email address and guess your password to access your MyFitnessPal account and other accounts for which you may use the same log-in information, experts said. Many people use common user names and passwords across multiple accounts.

It is difficult to compare the seriousness of the MyFitnessPal and CareFirst breaches, said Dave Levin, an assistant computer science professor at the University of Maryland’s Cybersecurity Center.

“In and of itself, that (CareFirst) information is definitely more sensitive,” Levin said. “I can change my password. I can’t change my Social Security number.”

But Levin said the scale of the MyFitnessPal breach is much larger and it is hard to assess how much information hackers could obtain by exploiting the data they already have.


Under Armour acquired San Francisco-based MyFitnessPal for $475 million in February 2015, when it also acquired Endomondo, a fitness app based in Copenhagen, Denmark, for $85 million.

CareFirst said the original phishing message and resulting spam messages were forensically examined by its information security team as well as a third-party firm.

Phishing attacks use deceptive emails and websites to convince people to disclose personal information.

“CareFirst’s systems in general were also forensically analyzed,” the insurer said. “There was no evidence of malware in the phishing email or spam and no other suspicious activity was detected within CareFirst’s systems. The individual email account was reset.”

Under Armour learned on March 25 about the app breach and said it “quickly took steps to determine the nature and scope of the issue.”

The company said it began notifying users four days later through emails and in-app messaging and will be requiring users to change their passwords.


“In the scheme of things, four days is not bad,” said Anupam Joshi, director of the UMBC Center for Cybersecurity. “In some companies, it’s months or weeks” before users are alerted, he said.

Joshi said the incident should serve as a lesson to app users.

“In the security world it pays to be paranoid,” he said. “If you have used this password somewhere else, I would go ahead and change it. These kinds of breaches happen more often than you would want them to.”