Following the news that Sports Direct suffered a data breach as the result of an unpatched staff portal – and failed to inform its own staff, IT security experts from Kaspersky Lab, SentinelOne, TrapX, RES and ZoneFox commented below.
David Emm, Principal Security Researcher at Kaspersky Lab:
Consumers have no control over the security of their online providers. However, they can mitigate the risk of a security breach. We would recommend that everyone uses unique, complex passwords for all their online accounts. It’s a growing concern that many people use the same password and personal details across multiple online accounts, meaning if their details have been compromised by one attack they could find other accounts suffer too. We would also urge people to take advantage of two-factor authentication, where a provider offers this.
This breach once again underlines the need for regulation. It’s to be hoped that GDPR (General Data Protection Regulation), which comes into force in May 2018, will motivate firms to, firstly, take action to secure the customer data they hold, and secondly, to notify the ICO of breaches in a timely manner”
Andy Norton, Risk Officer EMEA at SentinelOne:
The information Commissioners office has been notified by sports direct on the breach and they will decide the appropriate course of action based on sports directs handling of the situation against best practises.”
Kevin Eley, VP of Sales EMEA at TrapX:
However, it is also important that organisations adopt a responsible and mature approach to reporting breaches to the stakeholders that have affected. If the reports of the Sports Direct breach are to be believed, and affected stakeholders were not notified; then it is nothing short of woeful and can only lead to a further erosion of employees trust in the brand. That cannot be a good state of affairs at all!”
Jason Allaway, VP UK & Ireland at RES:
Sports Direct, the UK’s largest sports retailer, was undone by unpatched software used for its staff portal. For a company of its size to hold critical staff data behind an insecure platform is a daunting thought. We expect every organisation to stay up to date with its security and we expect it even more from high street giants employing thousands of people. Not downloading the most recent patches to software can leave you exposed to these kinds of issues – patches are developed for a reason, and cyber criminals are always innovating to stay one step ahead.
This is a stark reminder not only to Sports Direct but every company that vigilance should be implemented as gospel. Every organisation should always assume they have been infiltrated. As such, penetration tests should be carried out regularly. It’s even worth getting friendly hackers to expose – and then patch up – any existing vulnerabilities before they can be exploited.
Sports Direct should treat this episode as a valuable lesson and an opportunity to ramp up their security processes. For other companies, it’s another reminder that you can’t hide a breach from your employees, let alone everyone else”
Dr Jamie Graves, CEO at ZoneFox:
“It’s one thing having the right technology and experts in place to spot these attacks, but it’s equally as important is what you do after detection. Companies need to become more alert to such breaches and realise that they are all vulnerable. Too many businesses focus on threats that come from outside their organisations, which while a warranted focus, simply does not cover all bases, such as threats from inside the organisation and weak links in outdated software. Organisations must ensure they have visibility and control their data, which would have immediately alerted them to the data being taken.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.