Exclusive A 27-year-old man has been arrested in connection with the hacking of Sports Direct's internal website for employees, The Register can reveal.
The man, who has not been identified, was cuffed on suspicion of computer misuse offences amid an investigation into the attack on the UK's largest sports retail business last September.
After exploiting vulnerabilities affecting the unpatched version of the DNN platform that Sports Direct was using to run a staff portal, a hacker was able to steal the personal information of the retailer's 30,000-strong workforce. An inside source with knowledge of the incident told The Register a phone number had been left on the site with a message encouraging Sports Direct's bosses to make contact.
While Sports Direct's internal systems detected the intrusion in September, the business claims it did not realise that staffers' information had been stolen at that time. The company contacted the police. While investigating the breach, Sports Direct believed that the network intruder had also unsuccessfully attempted to compromise its systems in August.
Police confirmed today that a man from Shirebrook, England, was arrested in October on suspicion of computer hacking offences, and that his computer equipment was seized by the cops' East Midlands Special Operations Unit.
It was only upon forensic examination of the fella's equipment that officers were able to inform Sports Direct that a network security breach had taken place, as a copy of the staff database was found both on the machine and to have been uploaded to the man's account on a cloud service which has been taken under police control, we understand.
Our source informed us that employees' unencrypted data, including names, email and postal addresses, and telephone numbers, was stolen during the breach. A spokesperson for the Information Commissioner's Office (ICO) told us it was "aware of an incident from 2016 involving Sports Direct" and would be "be making enquiries."
A spokesperson for the East Midlands Special Operations Unit said "a 27-year-old man has been arrested on suspicion of computer misuse and bailed pending further enquiries."
Despite ICO guidelines encouraging data controllers to inform individuals when their personal information was breached, sources confirmed to The Register that the company's workforce had not been told of the loss of their details.
Sports Direct did not respond to The Register's enquiries regarding whether staff had been informed following our report last week.
At the time of the breach, Unite assistant general secretary Steve Turner told us: "Sports Direct workers will be anxious to know what personal details have been hacked in this apparently serious data breach and why they weren't immediately informed about it by their employer. This is potentially sensitive and personal information.
"It's completely unacceptable that the workers affected appear not to have been informed and the data breach swept under the carpet.
"We will be immediately approaching the company for answers and further details about the potentially damaging impact of this on our members, as well as details about actions taken to ensure personal data is never compromised again. In the meantime we would urge Sports Direct workers to check their financial records, change passwords and immediately report any suspicious activity." ®