The Register confirmed that the Sports Direct, the UK’s largest sports retail business, was hacked last year, and still hasn’t disclosed the incident to its staff.
In the autumn a hacker broke into the internal systems of the company and accessed personal information of its staffers, including names, email and postal addresses, as well as phone numbers.
The attackers exploited known vulnerabilities affecting the unpatched version of the DNN platform used by the Sports Direct to host the staff portal.
According to an inside source with knowledge of the data breach, staffer data were stored in plain text. Sports Direct discovered the security breach in September, the insider claimed attacker left its number on the company’s internal website in order to be contacted by the business.
According to the El Reg, Sports Direct still has disclosed the data breach to the staff, the company filed an incident report with the Information Commissioner’s Office after it became aware of the intrusion.
“A spokesperson for the ICO confirmed to The Register that it was “aware of an incident from 2016 involving Sports Direct” and would be “be making enquiries.”” reported The Register.
“Sports Direct workers will be anxious to know what personal details have been hacked in this apparently serious data breach and why they weren’t immediately informed about it by their employer. This is potentially sensitive and personal information.” the Unite assistant general secretary Steve Turner told The Register.
“It’s completely unacceptable that the workers affected appear not to have been informed and the data breach swept under the carpet,”
“We will be immediately approaching the company for answers and further details about the potentially damaging impact of this on our members, as well as details about actions taken to ensure personal data is never compromised again,” the union’s assistant general secretary said. “In the meantime we would urge Sports Direct workers to check their financial records, change passwords and immediately report any suspicious activity.”
Which is the reply from Sports Direct?
“We cannot comment on operational matters in relation to cyber-security for obvious reasons. However, it is our policy to continually upgrade and improve our systems, and where appropriate we keep the relevant authorities informed.” said the a company spokesman.
(Security Affairs – Sports Direct , data breach)