Sports Direct Hides Massive 2016 Data Breach From 30,000 Employees

Sports clothing giant Sports Direct has failed to inform its customers about a major hack attack that say the personal details of 30,000 of its employees stolen.

Back in 2016 a hacker managed to exploit vulnerability in the Sports Direct employee portal content management system, which as the time was DotNetNuke, to gain access to the data.

An anonymous source tipped off The Register to the breach and noted that the employee data was unencrypted and despite the hack taking place last September it took until December for Sports Direct to notice the breach.

Other sources have since revealed that Sports Direct has effectively been keeping the breach under wraps to its employees though it had filed a incident report to the Information Commissioner’s Office (ICO).

Hushed hack

By not revealing to the employees that the data breach had taken place, Sports Direct is essentially preventing them from taking action to change passwords and be on the alert for fraud and phishing attempts. Such a move has met the scorn of the security industry.

Dr Jamie Graves CEO at cyber security specialist ZoneFox criticised the morals of Sports Direct and the way it handled the breach.

“The way Sports Direct has handled their data breach last year is a perfect example of how not to deal with a cyber attack. Keeping their 30,000-strong workforce in the dark for over a year is simply unacceptable,” he said.

“And it’s not just morally dubious; with the looming EU GDPR regulations stating companies must declare a data breach within 72 hours or they will face severe fines, a lot of learning must be done by businesses on how they deal with a breach. They have said they filed a report with the ICO, but how quickly that happened has not been disclosed. This is a classic case of an avoidable breach; an unpatched system with unencrypted details. This is infosec 101 and they got it wrong.”

David Emm, principal security researcher at Kaspersky Lab, was also suitably unimpressed.

“This breach once again underlines the need for regulation.  It’s to be hoped that GDPR (General Data Protection Regulation), which comes into force in May 2018, will motivate firms to, firstly, take action to secure the customer data they hold, and secondly, to notify the ICO of breaches in a timely manner,” he said, though leaving the EU may mean Britain is not subject for long to the GDPR in its current form.

The growing number of significant data breaches is certainly a warning that more action needs to be taken to mitigate the damage such attacks can have. But this could be a major undertaking given the UK’s police were found to be behind many major data breaches since 2011.

Take our cybersecurity quiz here!

Roland Moore-Colyer

As News Editor of Silicon UK, Roland keeps a keen eye on the daily tech news coverage for the site, while also focusing on stories around cyber security, public sector IT, innovation, AI, and gadgets.

Recent Posts

Uber Competitor Bolt Raises Prices 10 Percent In London

Uber competitor Bolt raises prices 10 percent in London amidst driver shortage and regulatory changes…

23 hours ago

US Auto Regulator Discusses ‘Safety Concerns’ With Tesla

US and Canadian regulators looking into possible safety issues with Tesla Model 3 and Model…

23 hours ago

Cryptocurrency Funds Show Gains In Spite Of Selloff

Cryptocurrency-centric funds show strong gains for 2021, as assets such as Bitcoin and Ether rise…

24 hours ago

Google, Facebook Chiefs Signed Off On Secret Deal, Lawsuit Says

Google's Sundar Pichai and Facebook's Mark Zuckerberg signed off on a deal to carve up…

1 day ago

North Korean Hackers ‘Stole $400m’ In 2021

Study finds North Korea-based hackers stealing more than $200m in cryptocurrency a year, rising to…

1 day ago

Major Stolen Card Marketplace Shuts Down After Making Millions

Operators of stolen card data marketplace UniCC say they will 'retire' due to age and…

1 day ago