A class action lawsuit blames Under Armour Inc. for a data breach affecting the fitness company’s food and nutrition app, seeking to hold the company liable for the theft of millions of customers’ personal information.

Plaintiff Rebecca Murray claims she used Under Armour’s MyFitnessPal app for a number of purposes, inducing to make purchases.

She alleges that her personal information, including email addresses, passwords, and payment information, was compromised in a data breach which took place earlier this year.

According to the Under Armour class action lawsut, the company admitted that in late February they experienced a data breach to their MyFitnessPal app. Reportedly, that data breach exposed the user names, email addresses, and passwords of about 150 million app users. Allegedly, the passwords were protected by being hashed, which usually makes them more difficult to hack, but they were exposed nonetheless.

In its announcement of the breach, the company stressed that government-issued information like Social Security numbers and drivers’ license numbers were not compromised, as Under Armour does not collect this information in the app. The company also claimed that payment information was not compromised.

In contrast to the company’s claim, Murray’s Under Armour data breach class action lawsuit alleges that her payment information was compromised, as she used payment cards to make purchases in the app.

She blames this alleged exposure of payment information on Under Armour’s negligence. She states that “despite well-publicized citation and frequent public announcement of data breaches, Under Armour and its affiliates opted to maintain an insufficient and inadequate system” to protect its consumers’ information. Allegedly, she was financially injured as a result of this data breach.

Murray claims that the company did not take sufficient steps to protect consumer information, which resulted in the data of millions of users vulnerable to hacking and theft. She seeks damages for herself and all similarly affected consumers, claiming that she was financially injured by the breach.

Her representation states that customers “paid substantial premiums for Under Armour services and trusted UA with their sensitive data,” and that they were not sufficiently vigilant in protecting this information.

Additionally, Murray claims that the company failed to notify consumers of the data breach in a timely manner. Allegedly, their delay in notifying consumers of the breach magnified the damage done, because it prevented consumers from taking action quickly to minimize the damage done by having their information stolen.

The Under Armour MyFitnessPal class action lawsuit states that many consumers had to change email addresses, passwords, and other identifying information, which, if left unchanged for a period of time, could result in further compromise of information.

A study shows that consumers who are victims of a data breach spend months, sometimes over a year, attempting to re-secure their information or recover from identify theft.

Murray is represented by Thomas V. Girardi and Keith D. Griffin of Girardi Keese and Ebby S. Bakhtiar of Livingston Bakhtiar.

The Under Armour MyFitnessPal Data Breach Class Action Lawsuit is Rebecca Elizabeth Murray v. Under Armour Inc. Case No. 2:18-cv-04032, in the U.S. District Court for the Central District of California.