Sports Direct (SD) became aware that its systems had been breached September 2016 and personal information of the retailers 300,000 strong workforce had been compromised. Yet it failed to inform its staff of this breach.
In September 2016, SD learnt that an intrusion had occurred in its systems, but claims it did not become aware of the theft of staff information until December 2016. The personal information stolen included names, email, postal addresses and telephone numbers.
The ICO’s ‘Guidance on data security breach management’ lists four important elements to a data breach management plan as follows:-
- Containment and recovery
- Assessment of ongoing risk
- Notification of breach
- Evaluation and response.
With regard to the notification of a breach, it provides:
“Informing people and organisations that you have experienced a data security breach can be an important element in your breach management strategy…Notification should have a clear purpose, whether this is to enable individuals who may have been affected to take steps to protect themselves…”
Further it sets out a list of questions to assist a company in deciding whether to notify, including:-
- Are there any legal or contractual requirements to notify?
- Can notification help the individual mitigate the risks?
- If a large number of people are affected, or there are very serious consequences, you should inform the ICO.
Whilst SD reported the security breach to the ICO, it kept its own workforce in the dark.
The tech publication ‘The Register’ first reported SD’s security breach earlier this month and has recently reported that a copy of SD’s database was found on equipment and on a cloud service seized by the police in October 2016. SD’s database was only recently discovered, upon forensic examination of the seized equipment.
A spokesman for SD has stated that “We cannot comment on operational matters in relation to cyber-security for obvious reasons, However, it is our policy to continually upgrade and improve our systems, and where appropriate we keep the relevant authorities informed”.
Steven Turner, assistant general secretary for Unite, commented “it’s completely unacceptable that the workers affected appear not to have been informed and the data breach swept under the carpet”. Unite has urged staff to check their financial records, change passwords and report any suspicious activity.
While guidance encourages companies to report data security breaches to those that may be affected, there are no rules requiring this at present. The question is, is this something the regulator should be considering?