Security experts lambaste the retailers handling of the data breach
Sports clothing giant Sports Direct has failed to inform its customers about a major hack attack that say the personal details of 30,000 of its employees stolen.
Back in 2016 a hacker managed to exploit vulnerability in the Sports Direct employee portal content management system, which as the time was DotNetNuke, to gain access to the data.
An anonymous source tipped off The Register to the breach and noted that the employee data was unencrypted and despite the hack taking place last September it took until December for Sports Direct to notice the breach.
Other sources have since revealed that Sports Direct has effectively been keeping the breach under wraps to its employees though it had filed a incident report to the Information Commissioner’s Office (ICO).
By not revealing to the employees that the data breach had taken place, Sports Direct is essentially preventing them from taking action to change passwords and be on the alert for fraud and phishing attempts. Such a move has met the scorn of the security industry.
Dr Jamie Graves CEO at cyber security specialist ZoneFox criticised the morals of Sports Direct and the way it handled the breach.
“The way Sports Direct has handled their data breach last year is a perfect example of how not to deal with a cyber attack. Keeping their 30,000-strong workforce in the dark for over a year is simply unacceptable,” he said.
“And it’s not just morally dubious; with the looming EU GDPR regulations stating companies must declare a data breach within 72 hours or they will face severe fines, a lot of learning must be done by businesses on how they deal with a breach. They have said they filed a report with the ICO, but how quickly that happened has not been disclosed. This is a classic case of an avoidable breach; an unpatched system with unencrypted details. This is infosec 101 and they got it wrong.”
David Emm, principal security researcher at Kaspersky Lab, was also suitably unimpressed.
“This breach once again underlines the need for regulation. It’s to be hoped that GDPR (General Data Protection Regulation), which comes into force in May 2018, will motivate firms to, firstly, take action to secure the customer data they hold, and secondly, to notify the ICO of breaches in a timely manner,” he said, though leaving the EU may mean Britain is not subject for long to the GDPR in its current form.
The growing number of significant data breaches is certainly a warning that more action needs to be taken to mitigate the damage such attacks can have. But this could be a major undertaking given the UK’s police were found to be behind many major data breaches since 2011.