Information authorities and security experts are reportedly appalled by the way Sports Direct handled a data breach that happened back in September of last year. Apparently, they never actually told their employees about it; leaving them to find out on the news!
Sports Direct’s internal systems were triggered when the attack occurred in September but, somehow, the company were unaware of it until December. How that information was not automatically relayed to the company seems to be a mystery to all.
What’s more vexing is that the retail company decided against warning their employees just because they didn’t think the data had been copied or shared. In failing to inform the employees, who are the very victims of the hack, they have potentially prevented workers from taking steps to protect themselves from further harm. If Sports Direct had told them, the employees would be able to look out for phishing emails or other scams, change their passwords, and alert their banks.
The information accessed through the staff portal included:
- Names;
- Addresses;
- Email addresses;
- Phone numbers;
- Potentially bank details and National Insurance numbers.
ICO informed
The major UK sports retail company did inform the Information Commissioners Office of the breach, and have said they will work alongside the authorities and provide relevant information, but it is likely that the incident could cost them with a heavy fine. The ICO has started making enquiries and investigations, and will be taking into account that the information was on an unpatched system as well the data itself being unencrypted.
Encryption is the most basic level of cybersecurity and is effective in hiding data from third parties. Scrambling can make data unreadable and useless to hackers unless they have the key or strong hacking software to break it.
New legislation is coming soon!
This security breach comes in light of the new General Data Protection Regulation being introduced as a crackdown on how companies prevent and handle data breaches. The way the sports retail company handled its data breach is exactly why the new regulation was needed. Dr Jamie Greaves, cybersecurity expert at ZoneFox, was unsympathetic, slamming the incident as “how not to deal with a cyber-attack.”
Sports Direct is most probably breaching its current legislative duties to notify affected individuals as soon as possible, so that they are able to start protecting themselves immediately. The new GDPR, scheduled to come into force in May of 2018, will require companies to declare breaches within 72 hours. The Regulation comes with a very hefty fines for non-compliance so hopefully companies will be incentivised to buckle up on security. Unless Sports Direct massively overhauls their current security systems, there is no way the company will be able to comply.
This is not the first time Sports Direct has come under fire with the authorities – a previous Parliamentary investigation found that they were paying their employees under the National Minimum Wage. A separate investigation also found that employees were treated with a distinct lack of dignity and respect, with Business, Innovation and Skills committee Chairman, Iain Wright, likening it to a “Victorian Workhouse”.