Should you tell staff about a data breach?

Back in September 2016, Sports Direct suffered a data breach which they reported to the Information Commissioner’s Office (ICO) but, it appears, not to their staff. security-265130

To make this behavior worse, it was staffs’ personal information that had been breached. According to the ICO’s current guidelines, it is important companies notify “individuals who may have been affected” to allow them “to take steps to protect themselves”.

The information that was revealed in the hack includes national insurance numbers and bank details, information that could cause them huge personal disruptions and financial losses. Understandably, once the breach became public knowledge, the staff at Sports Direct were anxious to know what personal details had been leaked, and why they weren’t immediately informed by their employer. Not a smart move by Sports Direct.

Unite assistant general secretary Steve Turner commented: “It’s completely unacceptable that the workers affected appear not to have been informed and the data breach swept under the carpet.”

While Dr Jamie Greaves, chief executive at cyber-security company ZoneFox said: “The way Sports Direct has handled their data breach last year is a perfect example of how not to deal with a cyber-attack. Keeping their 30,000 strong workforce in the dark for over a year is simply unacceptable.”

If companies should take away anything from this Sports Direct breach, it should be to inform their staff immediately of any security threats or activity, especially if their personal information has been compromised.

New regulations that are coming in from the EU will require companies to declare a data breach within 72 hours of them happening. Hopefully Sports Direct will take note of these changes.

Worried about your data security? 

If you would like to talk to us about enhancing the security of your computer systems, contact our team on 0800 9520652.