Sports Direct ‘victim of huge cyber attack’

Retailer Sports Direct has revealed that personal data for 30,000 of its employees were stolen in a data breach - although it waited until this year to tell affected staff.

Hackers broke into the company’s systems last September, stealing names, email addresses and phone numbers by exploiting a vulnerability in its DNN platform.

It was reported that the Information Commissioner’s Office said Sports Direct had notified it of the hack and will be “making enquiries” into how it happened.

A spokesman for Sports Direct said: "We cannot comment on operational matters in relation to cyber-security for obvious reasons. However, it is our policy to continually upgrade and improve our systems, and where appropriate we keep the relevant authorities informed."

Dr Jamie Graves, CEO at Zonefox, told IT Pro Sports Direct didn’t handle the breach well.

"The way Sports Direct has handled their data breach last year is a perfect example of how not to deal with a cyber attack," Graves said. "With the looming EU GDPR regulations stating companies must declare a data breach within 72 hours or they will face severe fines, a lot of learning must be done by businesses on how they deal with a breach.

"They have said they filed a report with the ICO, but how quickly that happened has not been disclosed," he added.

"This is a classic case of an avoidable breach; an unpatched system with unencrypted details."