Report: Sports Direct breached, data stolen, staff left in dark

News by Max Metzger

Though Sports Direct was reportedly breached last year with hackers accessing internal systems, staff still have not been notified that their data might be compromised.

The UK's largest sports retailer was apparently breached in Autumn 2016, when a hacker accessed the internal systems of the company by exploiting an old version of the DNN platform which ran Sports Direct's staff portal.

An anonymous source told The Register that it was not until December that the company knew that it had been breached. While the retailer apparently contacted the Information Commissioner's Office to notify the regulator, it did not tell its 30,000 employees that their unencrypted personal data was accessed.

The source also claimed that “a phone number had been left on the company's internal site with a message encouraging Sports Direct's bosses to make contact.”

This revelation has not been met forgivingly by some members of the IT security industry. Thomas Fischer, threat researcher and security advocate at Digital Guardian told SC Media UK that, "Public and private organisations alike have a duty of care, not to mention legal obligation, to protect data. By failing to update its systems and appearing to disregard security best practices, Sports Direct has let its employees down.”

Dr Jamie Graves, CEO at ZoneFox told SC, "the way Sports Direct has handled their data breach last year is a perfect example of how not to deal with a cyber-attack. Keeping their 30,000-strong workforce in the dark for over a year is simply unacceptable.”

If this had happened a couple of years later the consequences could be far graver, added Graves: “With the looming EU GDPR regulations stating companies must declare a data breach within 72 hours or they will face severe fines, a lot of learning must be done by businesses on how they deal with a breach. They have said they filed a report with the ICO, but how quickly that happened has not been disclosed. This is a classic case of an avoidable breach; an unpatched system with unencrypted details. This is infosec 101 and they got it wrong."

A spokesperson for Sports Direct was reported by The Register as saying, "We cannot comment on operational matters in relation to cyber-security for obvious reasons. However, it is our policy to continually upgrade and improve our systems, and where appropriate we keep the relevant authorities informed."

Sports Direct did not respond to SC's requests for comment - this article will be updated when and if it does.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop