Sports clothing giant Sports Direct has failed to inform its customers about a major hack attack that say the personal details of 30,000 of its employees stolen.
Back in 2016 a hacker managed to exploit vulnerability in the Sports Direct employee portal content management system, which as the time was DotNetNuke, to gain access to the data.
An anonymous source tipped off The Register to the breach and noted that the employee data was unencrypted and despite the hack taking place last September it took until December for Sports Direct to notice the breach.
Other sources have since revealed that Sports Direct has effectively been keeping the breach under wraps to its employees though it had filed a incident report to the Information Commissioner’s Office (ICO).
Dr Jamie Graves CEO at cyber security specialist ZoneFox criticised the morals of Sports Direct and the way it handled the breach.
“The way Sports Direct has handled their data breach last year is a perfect example of how not to deal with a cyber attack. Keeping their 30,000-strong workforce in the dark for over a year is simply unacceptable,” he said.
“And it’s not just morally dubious; with the looming EU GDPR regulations stating companies must declare a data breach within 72 hours or they will face severe fines, a lot of learning must be done by businesses on how they deal with a breach. They have said they filed a report with the ICO, but how quickly that happened has not been disclosed. This is a classic case of an avoidable breach; an unpatched system with unencrypted details. This is infosec 101 and they got it wrong.”
David Emm, principal security researcher at Kaspersky Lab, was also suitably unimpressed.
“This breach once again underlines the need for regulation. It’s to be hoped that GDPR (General Data Protection Regulation), which comes into force in May 2018, will motivate firms to, firstly, take action to secure the customer data they hold, and secondly, to notify the ICO of breaches in a timely manner,” he said, though leaving the EU may mean Britain is not subject for long to the GDPR in its current form.
The growing number of significant data breaches is certainly a warning that more action needs to be taken to mitigate the damage such attacks can have. But this could be a major undertaking given the UK’s police were found to be behind many major data breaches since 2011.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…