[BreachExchange] Sports Direct hacked last year, and still hasn't told its staff of data breach

Wed Feb 8 20:42:38 EST 2017

https://www.theregister.co.uk/2017/02/08/sports_direct_
fails_to_inform_staff_over_hack_and_data_breach/

Sports Direct has left its 30,000-strong workforce in the dark over a data
breach in the autumn when a hacker accessed internal systems containing
staffers' personal information.

The Register can reveal the UK's largest sports retail business was the
subject of a digital break-in during September, when an attacker exploited
public vulnerabilities affecting the unpatched version of the DNN platform
that Sports Direct was using to run a staff portal.

An inside source with knowledge of the incident told The Register that
employees' unencrypted data was stolen during the breach. Sports Direct's
internal systems detected the intrusion in September, but it was not until
December that the company learned of the data breach. Our insider claimed a
phone number had been left on the company's internal site with a message
encouraging Sports Direct's bosses to make contact.

Sources told us that as of Monday, staff had still not been notified of the
breach, which included names, email and postal addresses, as well as phone
numbers.

Sports Direct filed an incident report with the Information Commissioner's
Office after it became aware that its workforce's information had been
compromised, but as there was no evidence that the hacker had made further
copies or shared the data, the company did not report the breach to its
staff.

A spokesperson for the ICO confirmed to The Register that it was “aware of
an incident from 2016 involving Sports Direct” and would be “be making
enquiries.”

Last year, a Parliamentary inquiry into working practices at Sports Direct
[PDF] described the business as “the country’s largest sports retail
outlet,” and stated that its “size and success is founded on a business
model that enables the majority of workers in both the warehouse at
Shirebrook and at the shops around the UK to be treated without dignity or
respect.”

Regarding the breach, Unite assistant general secretary Steve Turner told
us: “Sports Direct workers will be anxious to know what personal details
have been hacked in this apparently serious data breach and why they
weren't immediately informed about it by their employer. This is
potentially sensitive and personal information.”

“It’s completely unacceptable that the workers affected appear not to have
been informed and the data breach swept under the carpet,” added Turner.

“We will be immediately approaching the company for answers and further
details about the potentially damaging impact of this on our members, as
well as details about actions taken to ensure personal data is never
compromised again,” the union's assistant general secretary said. “In the
meantime we would urge Sports Direct workers to check their financial
records, change passwords and immediately report any suspicious activity.”

Unite's criticism of Sports Direct's lack of regard for employees is the
latest in a string of complaints which have seen the company's share price
more than halve since February 2015, following a number of scandals
regarding its alleged mistreatment of employees.

An undercover investigation by The Guardian discovered that the company had
been effectively paying workers below the minimum wage. The company
subsequently admitted breaking the law and thousands of warehouse workers
received back pay totalling £1m.

In November, six MPs from Parliament's Business and Skills Committee
claimed that “an attempt was made to record their private discussions” when
they visited the Shirebrook warehouse to investigate working practices.

A spokesman for Sports Direct said: "We cannot comment on operational
matters in relation to cyber-security for obvious reasons. However, it is
our policy to continually upgrade and improve our systems, and where
appropriate we keep the relevant authorities informed."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170208/c8e76b3a/attachment.html>