UK’s largest sports retail outlet Sports Direct has suffered a data breach in September 2016, when an attacker gained access to its staff portal, and through it to unencrypted personal information of the company’s 30,000 employees.
But the employees were never notified of this breach. Apparently, there was no evidence that the hacker had exfiltrated the data, leaked it or shared it further, and the company opted for just notifying the Information Commissioner’s Office (ICO), UK’s national data protection authority.
To this day, the employees have not received any notification about this breach.
According The Register, the intrusion happened in September and the company became aware of it in December.
The hacker left a contact phone number and a message on the company’s internal site, but the contents of the message are unknown. Could it be that it was a request for money to keep mum on the compromise? Or perhaps a way to get the company hire the hacker to improve security?
Apparently, they need to step up on that front, as the hacker exploited known vulnerabilities in the unpatched version of the open source DNN CMS platform on which the staff portal was running.
“The way Sports Direct has handled their data breach last year is a perfect example of how not to deal with a cyber attack,” Dr Jamie Graves, CEO at ZoneFox, commented for Help Net Security.
“Keeping their 30,000-strong workforce in the dark for over a year is simply unacceptable. And it’s not just morally dubious; with the looming EU GDPR regulations stating companies must declare a data breach within 72 hours or they will face severe fines, a lot of learning must be done by businesses on how they deal with a breach. They have said they filed a report with the ICO, but how quickly that happened has not been disclosed. This is a classic case of an avoidable breach; an unpatched system with unencrypted details. This is infosec 101 and they got it wrong.”
Thomas Fischer, threat researcher and security advocate at Digital Guardian, says that public and private organisations alike have a duty of care, not to mention legal obligation, to protect data.
“By failing to update its systems and appearing to disregard security best practices, Sports Direct has let its employees down. If GDPR was already in enforcement, the repercussions for Sports Direct could have been far greater as it appears that the company was in violation of two requirements of the regulation. First, under the GPDR, companies are required to use appropriate measures to protect all personal data, so the employee information should have been encrypted. Second, companies are obliged to report suspected incidents to the authorities within 72 hours,” he noted.
“The incident also reminds us of the dangers of not notifying the affected parties. Sports Direct has failed to notify employees of the breach, putting those affected at further risk. With personal details in their hands, hackers may have targeted employees through phishing and social engineering attacks – and the employees would have had no reason to believe anything was suspicious.”
A Sports Direct spokesman told The Register that they “cannot comment on operational matters in relation to cyber-security for obvious reasons.”