Under Armour reported a potential databreach when an unencrypted thumbdrive, sent to PricewaterhouseCoopers (PwC) as part of the auditing process was lost in the mail. The potential breach could affect the identities of Under Armour employees due to the exposure of their SSNs, names and salaries.
There have been some high-profile data braches this year, notably from Zappos and Wells Fargo and Visa. However, those previous breaches were due to a hacker illegally accessing a database. The Under Armour breach is different because it seems to be the product of straight-up human error: someone put an unencrypted thumbdrive in the mail and lost track of it.
Who’s at fault? Under Armour? PwC? Or the mail service provider?
PwC seems to be taking this one on the chin, releasing a statement from Jude Curtis, chief ethics and compliance officer, that reads: “PwC is committed to protecting its clients’ confidential information and is working closely with its client to provide protective safeguards to those individuals whose information was lost. The firm deeply regrets that the information was lost in transit to a PwC facility, and is conducting a thorough internal investigation into these events to determine how PwC’s client security protections were breached.”
Fortunately for Under Armour, this breach largely affects internal employees so it won’t be as widely-reported and, if it’s simply human error rather than criminal malfeasance, there are tangible steps Under Armour and PwC can take to avoid it happening again.
Still, even as analysts and security personnel emphasize the importance of online data security, it is equally important to be mindful of the simpler things—like encrypting sensitive information before slipping it in an envelope.