Sports Direct hacked last year, and still hasn't told its staff of data breach

Exclusive Sports Direct has left its 30,000-strong workforce in the dark over a data breach in the autumn when a hacker accessed internal systems containing staffers' personal information.

The Register can reveal the UK's largest sports retail business was the subject of a digital break-in during September, when an attacker exploited public vulnerabilities affecting the unpatched version of the DNN platform that Sports Direct was using to run a staff portal.

An inside source with knowledge of the incident told The Register that employees' unencrypted data was stolen during the breach. Sports Direct's internal systems detected the intrusion in September, but it was not until December that the company learned of the data breach. Our insider claimed a phone number had been left on the company's internal site with a message encouraging Sports Direct's bosses to make contact.

Sources told us that as of Monday, staff had still not been notified of the breach, which included names, email and postal addresses, as well as phone numbers.

Sports Direct filed an incident report with the Information Commissioner's Office after it became aware that its workforce's information had been compromised, but as there was no evidence that the hacker had made further copies or shared the data, the company did not report the breach to its staff.

A spokesperson for the ICO confirmed to The Register that it was “aware of an incident from 2016 involving Sports Direct” and would be “be making enquiries.”

Last year, a Parliamentary inquiry into working practices at Sports Direct [PDF] described the business as “the country’s largest sports retail outlet,” and stated that its “size and success is founded on a business model that enables the majority of workers in both the warehouse at Shirebrook and at the shops around the UK to be treated without dignity or respect.”

Regarding the breach, Unite assistant general secretary Steve Turner told us: “Sports Direct workers will be anxious to know what personal details have been hacked in this apparently serious data breach and why they weren't immediately informed about it by their employer. This is potentially sensitive and personal information.”

“It’s completely unacceptable that the workers affected appear not to have been informed and the data breach swept under the carpet,” added Turner.

“We will be immediately approaching the company for answers and further details about the potentially damaging impact of this on our members, as well as details about actions taken to ensure personal data is never compromised again,” the union's assistant general secretary said. “In the meantime we would urge Sports Direct workers to check their financial records, change passwords and immediately report any suspicious activity.”

Unite's criticism of Sports Direct's lack of regard for employees is the latest in a string of complaints which have seen the company's share price more than halve since February 2015, following a number of scandals regarding its alleged mistreatment of employees.

An undercover investigation by The Guardian discovered that the company had been effectively paying workers below the minimum wage. The company subsequently admitted breaking the law and thousands of warehouse workers received back pay totalling £1m.

In November, six MPs from Parliament's Business and Skills Committee claimed that “an attempt was made to record their private discussions” when they visited the Shirebrook warehouse to investigate working practices.

A spokesman for Sports Direct said: "We cannot comment on operational matters in relation to cyber-security for obvious reasons. However, it is our policy to continually upgrade and improve our systems, and where appropriate we keep the relevant authorities informed." ®