Sports Direct 'hid data breach from staff' By Jane Wakefield

Technology reporter Published duration 9 February 2017

image copyright PA image caption Sports Direct has come under fire in recent months over its "Dickensian working practices"

A data breach at retailer Sports Direct last year was reported to the Information Commissioner's Office but not to staff whose data may have been compromised, according to reports.

The ICO confirmed to the BBC that it was "aware of an incident" and was making enquiries.

According to technology website The Register , the breach in September saw employees' unencrypted data stolen.

A spokesman for Sports Direct would not be drawn on the details of the breach.

"We cannot comment on operational matters in relation to cybersecurity for obvious reasons," he told the BBC.

"It is our policy to continually upgrade and improve our systems, and where appropriate we keep the relevant authorities informed," he added.

The Register was told by "an inside source" that a hacker had attacked a system that Sports Direct used to run a staff portal.

New regulations coming from the EU will require companies to declare a data breach within 72 hours.

According to the ICO's current guidelines , it is important companies notify "individuals who may have been affected" to allow them "to take steps steps to protect themselves".

Unite assistant general secretary Steve Turner told the BBC: "Sports Direct workers will be anxious to know what personal details have been hacked in this apparently serious data breach and why they weren't immediately informed about it by their employer.

"This is potentially sensitive and personal information such as national insurance numbers and bank details that we're talking about.

"It's completely unacceptable that the workers affected appear not to have been informed and the data breach swept under the carpet."

The union has contacted Sports Direct to clarify what happened in the breach, but urged staff to check their financial records, change passwords and report any suspicious activity.

Dr Jamie Greaves, chief executive at cybersecurity company ZoneFox told the BBC: "The way Sports Direct has handled their data breach last year is a perfect example of how not to deal with a cyber-attack.

"Keeping their 30,000-strong workforce in the dark for over a year is simply unacceptable."

It is not the first time Sports Direct has been criticised for how it treats its staff.

The chairman of the government's Business, Innovation and Skills committee Iain Wright suggested that Sports Direct's working practices were "closer to that of a Victorian workhouse than that of a modern, reputable high street retailer".