[TOP STORY]: Under Armour Probes Massive Breach Claim Involving 72M Customer Records Sportswear giant Under Armour is investigating claims that an unauthorized third party stole a database containing records on roughly 72 million customers, including names, email addresses, dates of birth, gender, and approximate location. The dataset, shared with Have I Been Pwned and reviewed by reporters, appears to link millions of purchase records and employee emails, raising the stakes beyond a simple email leak.
The Threat: A dataset of this size provides high‑quality material for large‑scale phishing, account takeover attempts, and business email compromise targeting both customers and staff. The Status: Under Armour has acknowledged the claims and confirmed some sensitive information was taken but states payment systems and passwords do not appear impacted; investigations and notifications are ongoing. Mitigation: Treat any Under Armour‑related email as high‑risk, enforce phishing‑resistant MFA on all consumer and corporate accounts where those emails are used, and monitor for password reuse against corporate SSO and VPN portals.
CRITICAL PATCHES (CVE WATCH)
Microsoft Office / Excel – January 2026 Patch Tuesday (CVE-2026-20946) - CVSS 7.8
Issue: CVE‑2026‑20946 is a remote code execution vulnerability in Microsoft Excel that can allow arbitrary code execution if a user opens a specially crafted spreadsheet. Action: Prioritize January 2026 Office updates on all endpoints, disable automatic opening of Office documents from email, and tighten attachment sandboxing in mail gateways.
Microsoft Excel – January 2026 Patch Tuesday (CVE-2026-20955) - CVSS 7.8
Issue: CVE‑2026‑20955 is another Excel remote code execution flaw addressed in the same Patch Tuesday, triggered via malicious workbooks and rated high severity. Action: Ensure all Excel installations (including on terminal servers and Citrix farms) are updated, and deploy application control rules to restrict execution of macros and untrusted Office files.
Veeam Backup & Replication (CVE-2025-59470) - CVSS 9.0
Issue: CVE‑2025‑59470 is a critical remote code execution vulnerability in Veeam Backup & Replication that could allow an attacker to execute code on the backup server, potentially compromising all protected workloads. Action: Patch all Veeam Backup & Replication servers immediately, restrict management interfaces to admin networks/VPN, and validate that immutable and offline backups are intact and uncompromised.
Cisco Identity Services Engine (ISE) / ISE-PIC (CVE-2026-20029) - CVSS 5.3
Issue: CVE‑2026‑20029 is an information disclosure flaw in Cisco ISE and ISE Passive Identity Connector that can expose sensitive information regardless of device configuration; a public proof‑of‑concept exploit is already available. Action: Apply Cisco's latest patches, remove direct internet exposure for ISE services, and monitor for unusual identity or policy‑related activity from ISE‑integrated systems.
BREACH BRIEFING
Under Armour (Global Retail & E‑commerce): Under Armour is investigating claims that data for around 72 million customers was stolen and circulated online, including personal details and purchase records, but not payment card data or passwords according to current statements. Have I Been Pwned has already begun notifying affected individuals using the leaked dataset.
Integritek (Managed IT & Cybersecurity Services, USA): Managed service provider Integritek disclosed a breach attributed to the CL0P ransomware group, with the incident discovered on January 22, 2026; the size of the leak is still unknown. As an MSP, compromise here raises downstream risk for client environments that rely on Integritek for remote access and management.
ECA‑USA.COM, INTEGROY.COM, Smith Dalia Architects (Ransomware Claims): Multiple organizations, including aerospace firm ECA‑USA.COM, Canadian company INTEGROY.COM, and Smith Dalia Architects, were listed on Clop ransomware leak sites this week, with actors threatening full data publication absent negotiation. These claims fit a broader pattern of ransomware operators using public leak sites and extortion tactics to pressure victims even before technical impact is fully understood.
TRENDS & ANALYSIS
1. Ransomware Operators Double Down on Supply and Service Chains
This week's Clop activity against MSPs and mid‑market firms (Integritek, INTEGROY.COM, Smith Dalia Architects, ECA‑USA.COM) highlights the continued shift toward hitting service providers and niche industrial players as entry points into broader ecosystems. Ransomware data from recent weeks shows dozens of claimed victims across many countries, reinforcing that leak‑site‑driven extortion remains a central monetization model.
2. Backup and Identity Systems Remain High‑Value Targets
Critical flaws in Veeam Backup & Replication and information disclosure issues in Cisco ISE underscore how attackers increasingly target backup platforms and identity enforcement points to gain persistence, disable recovery, and move laterally at scale. Organizations that treat these platforms as "set and forget" infrastructure create ideal conditions for stealthy compromise with catastrophic blast radius.
3. Mass Data Breaches Feed an Expanding Fraud Ecosystem
The Under Armour incident and other large‑scale leaks feed high‑quality data into cyber‑enabled fraud pipelines, enabling convincing phishing, credential‑stuffing, and synthetic identity attacks years after the initial compromise. Recent global risk outlooks warn that cyber‑enabled fraud, powered by large breached datasets and AI tooling, is becoming one of the most pervasive global threats for both consumers and enterprises.
ONE ACTION ITEM
Lock Down Your Backup and Identity Infrastructure This Week
Why: Current exploits and patches targeting Veeam Backup & Replication and Cisco ISE show that compromise of backup servers or identity controllers can instantly turn a localized incident into a full‑environment outage with limited recovery options. Aligning controls on these platforms with your crown‑jewel systems drastically reduces ransomware impact and post‑breach dwell time.
Action:
- Validate that all Veeam and Cisco ISE systems are on the latest security releases, accessible only from hardened admin segments/VPN, and monitored with high‑fidelity logging and alerts.
- Run an immediate access review for backup and identity platforms (local and domain accounts, service principals, API keys), removing standing admin rights, enforcing MFA, and implementing just‑in‑time elevation for remaining privileged roles.
Stay safe and patch often https://www.cvedatabase.com