TOKË VANDERVOORT: March 23rd was a Friday, and that night and the following afternoon we received two separate tips. One of our guys heard through a back-channel whisper on LinkedIn, “I’ve got some information that might be interesting to you.” It was just a sample of dated data—not enough to do anything with. The next day we got word that it looked like there was more, but we didn’t have more information than that.
Then on Sunday, an undisclosed but trusted source said they had a file for us. After four hours of trying to download this file—it wasn’t timing out, it was still downloading—I realized we had a problem. When we were able to start accessing that file, we realized very quickly what the situation was. That was about 8 on Sunday night. As leads for the incident response team—one of my many roles as Deputy General Counsel—our information security officer and I called it a breach that night.
My first call on Monday [March 26th] morning was to John Stanton, [EVP and General Counsel at Under Armour]. I remember it vividly because his question was, “Why are you calling me before 8 on a Monday? It can’t be good.” And I said, “It’s not.”
Then I called Lisa as outside legal counsel. The relationship with Lisa was one that was already established by Under Armour, but I also knew her well as the go-to professional in this space.
We notified key people, like Paul Fipps, our Chief Digital Officer, and soon after we created a war-room: papered the windows, opened up a phone line, started keeping notes on a white board in terms of a timeline, people, contacts, contractors, things like that. Records on the wall were literally being made in real time.
Our team was also working with outside forensics teams to make sure nothing else was going on. We were trying to ascertain the problem, fix the problem and find any other breakages along the way—all at the same time.
And then the news went to the executive leadership team that morning.
KELLEY McCORMICK: I’d only been with the brand for about three months, and that was my second executive leadership team meeting. I was learning a lot about the ethos of the company and how the brand was built. I was still figuring out functions of teams.
After finding out, it wasn’t who to call, it was what part of the company was I calling? I had the luxury of having people—both our team in-house and outside advisers—to help us think through the process. And I was literally learning about the company and discovering our amazing capabilities in the process.
TV: I remember Kelley being in John’s office and saying very humbly, “This is where my job gets easy because I do what legal tells me.” I knew your job wasn’t going to be easy at all, but it was funny.
KM: There are times when communications can challenge legal to relax or be more aggressive. But given the nature of this situation, I felt the default had to go to legal. I wanted to diminish that debate.
TV: After he had processed the news, Paul Fipps, our Chief Digital Officer, pulled the team together. His first inclination was essentially: “We recently relaunched our core values and those will inform how we do this.” Guided by those values, he wanted us to go public with the information before markets closed on Thursday. Because Friday was Good Friday, a market holiday. And then you have the weekend. Nobody wants to go out on a Friday. It’s considered crummy. The holiday sort of threw us into that aggressive push to get it out by Thursday.
But, of course, the last thing you want is to go out twice. You look incompetent, right? So it not only had to be very fast, it had to be right. I remember a conversation where we were asked, “Can you do it by Thursday?” And I said, “We’re going to try.” And the response was: “That wasn’t my question.”