Cyber Incident Victim: Sports Direct

In September 2016, Sports Direct suffered a cybersecurity breach when an attacker exploited publicly known vulnerabilities in the unpatched DNN platform powering the company's staff portal. The intrusion resulted in unauthorized access to internal systems containing personal information belonging to approximately 30,000 employees. Compromised data included unencrypted names, email addresses, postal addresses, and phone numbers. Sports Direct's internal security systems detected the intrusion during September, but the organization did not confirm the data theft until December 2016. Evidence suggested the attacker left a phone number on the compromised internal portal with a message urging company leadership to make contact, though no further details about communication attempts were disclosed.

Sports Direct filed an incident report with the UK Information Commissioner's Office (ICO) upon confirming the data breach but chose not to notify affected employees, citing lack of evidence that the stolen information had been copied or disseminated. As of February 2017—five months post-intrusion—staff remained uninformed about the compromise of their personal data. The ICO acknowledged awareness of the incident and initiated inquiries. Unite union condemned the failure to notify workers, labeling it unacceptable and demanding explanations regarding breach specifics and corrective measures. The breach occurred against a backdrop of existing controversies surrounding Sports Direct's employment practices, including parliamentary criticism of worker treatment, minimum wage violations requiring £1 million in back payments, and allegations of surveillance during official inspections at company facilities. Sports Direct declined substantive comment on the incident beyond stating general policies about system upgrades and cooperation with authorities.