Sports Direct, a British retailing group suffered a massive security breach back in 2016 in which a hacker stole personal details of 30,000 of its employees. Another negative aspect of this incident is that the company did not inform its workers about the breach, reports The Register.
The breach took place in September last year when a hacker exploited vulnerabilities in Sports Direct’s employee portal that was using DNN (formerly DotNetNuke) based content management system.
An anonymous source told The Register that the stolen data contains unencrypted data of employees including emails, phone numbers, names and postal address. The source also claimed that the hacker left a phone number in Sports Direct’s system for the owners to get it touch with them. However, it is still unclear if the data is being sold on the Internet or leaked on the Internet.
What’s worse about this breach is that although the company found out about the breach in December, it didn’t bother to inform the employees affected by the breach itself; it did, however, inform the authorities.
Wieland Alge, GM and VP EMEA at Barracuda Networks said that “the employee portal breach at Sports Direct highlights that not enough is being done to get the correct security procedures and systems in place. Although it does not seem like the attackers were able to get their hands on financial information, only gaining access to email addresses, full names and phone numbers can lead to serious problems, perhaps leaving employees open to targeted phishing attacks.”
Thomas Fischer, threat researcher and security advocate at Digital Guardian also commented on the issue saying that “Public and private organizations alike have a duty of care, not to mention legal obligation, to protect data. By failing to update its systems and appearing to disregard security best practices, Sports Direct has let its employees down. If GDPR was already in enforcement, the repercussions for Sports Direct could have been far greater as it appears that the company was in violation of two requirements of the regulation.
First, under the GPDR, companies are required to use appropriate measures to protect all personal data, so the employee information should have been encrypted. Second, companies are obliged to report suspected incidents to the authorities within 72 hours. The incident also reminds us of the dangers of not notifying the affected parties. Sports Direct has failed to inform employees of the breach, putting those affected at further risk. With personal details in their hands, hackers may have targeted employees through phishing and social engineering attacks – and the employees would have had no reason to believe anything was suspicious.”
This is not the first time that Sports Direct has been in the news regarding its employees. According to an undercover investigation by The Guardian, it was revealed that the owner of the company Mike Ashley, 22nd richest man does not only pay workers below the minimum wage but also involved in the mistreatment of employees.
At the time of publishing this article, Sports Direct denied commenting on the report. Stay tuned.
DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.