MyFitnessPal & The Value of Health Data
According to the press release, an unidentified unauthorized party accessed datasets belonging to MyFitnessPal users in late February 2018. The data potentially breached includes email addresses, usernames and hashed passwords. Notably, health and payment data was stored separately and at the time of writing nothing indicates that they were compromised as well.
What is the impact?
While a breach impacting 150 million users is bound to draw at least some media and regulator backlash, we expect the overall impact of this attack to be limited. According to Under Armor, the passwords in question were hashed using bcrypt - one of the strongest hashing algorithms currently in use. Bcrypt is very resistant to both Brute Force and Rainbow Table attacks meaning that very few if any of the leaked passwords are likely to be cracked. The large number of leaked email addresses will doubtlessly lead to regulatory inquiry but is unlikely to earn Under Armor more than a modest fine due to the lack of leaked health data.
The situation would be very different if health data were included in the breach. For one, end users reactions are often proportional to the perceived privacy level of the compromised data. Many see their personal health information as more sensitive than just a few pieces of data. Attackers know this, and have abused such health information for blackmail and identity theft attacks in the past. While price data fluctuates widely, health related data sets commonly outprice credit card related datasets on the black market for this reason.
For another, Under Armor is a US company and the US government’s HIPAA legislation establishes additional stringent requirements for the handling of health data and breaches involving it.
While a large number of datasets were potentially breached, we expect the fallout from this hack to be minor due to the strong hashing function used on the passwords and the lack of leaked health data.
Had the passwords been protected by weaker methods or had health data leaked, the incident would likely carry a significantly higher cost for Under Armor both in terms of regulatory consequences and image damage.
Even when breaches do happen, the overall security level of a company plays a significant role in how they will play out.