Following the news that Sports Direct suffered a data breach as the result of an unpatched staff portal – and failed to inform its own staff, IT security experts from Kaspersky Lab, SentinelOne, TrapX, RES and ZoneFox commented below.
David Emm, Principal Security Researcher at Kaspersky Lab:
“Customers that entrust private information to the care of a business should be safe in the knowledge it is kept in a secure manner. Whilst security solutions significantly mitigate the risk of a successful attack, there are also other measures businesses can take in order to provide thorough protection. These measures include running fully updated software, performing regular security audits on the website code and penetration testing the infrastructure. It’s crucial that businesses ensure that all passwords are protected using secure hashing and salting algorithms. The best way for organisations to combat these types of cyber-attacks is at the beginning; by having an effective cyber-security strategy in place before the company becomes a target.
Consumers have no control over the security of their online providers. However, they can mitigate the risk of a security breach. We would recommend that everyone uses unique, complex passwords for all their online accounts. It’s a growing concern that many people use the same password and personal details across multiple online accounts, meaning if their details have been compromised by one attack they could find other accounts suffer too. We would also urge people to take advantage of two-factor authentication, where a provider offers this.
This breach once again underlines the need for regulation. It’s to be hoped that GDPR (General Data Protection Regulation), which comes into force in May 2018, will motivate firms to, firstly, take action to secure the customer data they hold, and secondly, to notify the ICO of breaches in a timely manner”
Andy Norton, Risk Officer EMEA at SentinelOne:
“In comparison to other leading retailers, the section on operational risk oversight relating to cyber risk in the sports direct annual report seems minimal. Other retailer reports, announce the appointment of a CISO, explanation of the committee structure on how the board is briefed on cyber risk, and statements on continuous vigilance and incident response.
The information Commissioners office has been notified by sports direct on the breach and they will decide the appropriate course of action based on sports directs handling of the situation against best practises.”
Kevin Eley, VP of Sales EMEA at TrapX:
“The frequency of successful attacks on network leading to subsequent data breach is unfortunately only set to increase in 2017. Yet more well-known brands will be reported in the press as having been the victim of a successful cyber-attack. Organisations will need to consider innovative new approaches to protecting their sensitive data since traditional approaches are clearly failing.
However, it is also important that organisations adopt a responsible and mature approach to reporting breaches to the stakeholders that have affected. If the reports of the Sports Direct breach are to be believed, and affected stakeholders were not notified; then it is nothing short of woeful and can only lead to a further erosion of employees trust in the brand. That cannot be a good state of affairs at all!”
Jason Allaway, VP UK & Ireland at RES:
“Sports Direct is another example that no organisation, regardless of its size or the industry it operates in, is safe from a potential security breach.
Sports Direct, the UK’s largest sports retailer, was undone by unpatched software used for its staff portal. For a company of its size to hold critical staff data behind an insecure platform is a daunting thought. We expect every organisation to stay up to date with its security and we expect it even more from high street giants employing thousands of people. Not downloading the most recent patches to software can leave you exposed to these kinds of issues – patches are developed for a reason, and cyber criminals are always innovating to stay one step ahead.
This is a stark reminder not only to Sports Direct but every company that vigilance should be implemented as gospel. Every organisation should always assume they have been infiltrated. As such, penetration tests should be carried out regularly. It’s even worth getting friendly hackers to expose – and then patch up – any existing vulnerabilities before they can be exploited.
Sports Direct should treat this episode as a valuable lesson and an opportunity to ramp up their security processes. For other companies, it’s another reminder that you can’t hide a breach from your employees, let alone everyone else”
Dr Jamie Graves, CEO at ZoneFox:
“The way Sports Direct has handled their data breach last year is a perfect example of how not to deal with a cyber attack. Keeping their 30,000-strong workforce in the dark for over a year is simply unacceptable. And it’s not just morally dubious; with the looming EU GDPR regulations stating companies must declare a data breach within 72 hours or they will face severe fines, a lot of learning must be done by businesses on how they deal with a breach. They have said they filed a report with the ICO, but how quickly that happened has not been disclosed. This is a classic case of an avoidable breach; an unpatched system with unencrypted details. This is infosec 101 and they got it wrong.”
“It’s one thing having the right technology and experts in place to spot these attacks, but it’s equally as important is what you do after detection. Companies need to become more alert to such breaches and realise that they are all vulnerable. Too many businesses focus on threats that come from outside their organisations, which while a warranted focus, simply does not cover all bases, such as threats from inside the organisation and weak links in outdated software. Organisations must ensure they have visibility and control their data, which would have immediately alerted them to the data being taken.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.