Photo credit: umarazak/Shutterstock.com

This week, sportswear apparel retailer Under Armour became the latest U.S. company to make an announcement that no company wants to have to make—its systems had suffered a massive data breach.

The Baltimore-based company revealed Thursday that approximately 150 million users of its MyFitnessPal app, which allows users to track their diet and exercise, had been infiltrated in a February hack that was uncovered by parent company Under Armour on March 25.

In a statement from MyFitnessPal, the subsidiary said that the majority of information stolen “included usernames, email addresses, and hashed passwords,” but not payment card data, because that was “collected and processed separately.”

Lawyers and cybersecurity specialists say that such a separation of private payment data, whether done on purpose or not, is helpful to minimize damage in a data breach.

“It is a good practice to separate payment systems into a different server, and to segregate sensitive data,” said Brenda Sharton, litigation partner and chair of privacy and cybersecurity at Goodwin Procter.

Robert Cattanach, a partner at Dorsey & Whitney, says that hackers often seek the “weakest link” in a company's data security. While that may initially lead to data that's not extremely sensitive, if information isn't segregated hackers can move horizontally and access private, personal data.

“There are lots of different ways to thwart the intruders, so to speak,” Cattanach said. “Compartmentalizing, siloing information is a very good idea, but you're never going to be perfectly keeping them out, no one can. The most important thing is a good detection system so that once they're in, before they can do anything, you shut them down. The third line [of defense] is don't give them much data.”

It's unclear whether Under Armour segregated MyFitnessPal's payment card information internally for security purposes, or whether the company was simply using a third-party payment processor for other reasons. Under Armour declined to comment on the breach beyond the initial announcement.

Larry Ponemon, chairman and founder of privacy and data protection think tank the Ponemon Institute, says its not uncommon for companies to use third-party payment processors. He said these companies should make sure their outside providers have high data privacy and security standards.

“You want the company that is going to process your payment information to be very legitimate and to have good controls in place,” Ponemon said.

Regardless of whether companies are segregating sensitive data via third-party processors or internally, Ponemon says it's a smart move to keep important, personal data separate and harder for hackers to locate en masse.

“Then, if you hack into one system you can't get it all because you have to go to all the places [data is housed],” he said. “Network segmentation is a very good idea, especially for networks in e-commerce where you have super amounts of data.”