10 Feb 2016 Sports Direct Data Breach left 30,000 staff in the dark and at risk
If someone broke into your house while on holiday and your insurance providers told the police that items may have been taken but that you didn’t need to be bothered with the details, you wouldn’t be best pleased. Not least for the discourtesy, let alone being denied the chance to protect yourself by having a new key cut, or putting additional security measures in place.
Turns out the 30,000 members of staff at Sports Direct were treated exactly like this, the swag this time being their personal and financial information (much beloved of cyber-criminals). As if that wasn’t bad enough, the retailer didn’t feel it appropriate to inform staff that their sensitive personal information was at risk, leaving them in the dark about the breach for months. Ouch!
As our CEO, Dr Jamie Graves highlighted to the BBC, “The way Sports Direct has handled their data breach last year is a perfect example of how not to deal with a cyber attack.”
He went on to highlight that, “keeping their 30,000-strong workforce in the dark for over a year is simply unacceptable. And it’s not just morally dubious; with the looming EU GDPR regulations stating companies must declare a data breach within 72 hours or they will face severe fines, a lot of learning must be done by businesses on how they deal with a breach.”
Jamie summarised the situation, “They have said they filed a report with the ICO, but how quickly that happened has not been disclosed. This is a classic case of an avoidable breach; an unpatched system with unencrypted details. This is InfoSec 101 and they got it wrong.”