The UK's largest sporting retailer, Sports Direct, reportedly suffered a data breach last year but has been accused of failing to tell its workforce that their personal details – including names, email addresses and phone numbers - may have been accessed by a hacker.
The cyberattack allegedly hit the firm in September after a hacker was able to exploit software bugs in an unpatched content management system (CMS) platform that was being used as a staff web portal, The Register reported on 8 February.
Despite Sports Direct's breach monitoring systems detecting an attack at the time, The Register, citing an "inside source with knowledge of the incident", said it was not until December the firm realised the extent of the hacking.
The source said contact details were left on the firm's internal website by the hacker who urged officials to get in touch. The source also claimed staff had still not been told their information may have been put at risk.
The Information Commissioner's Office (ICO), the UK's data breach watchdog, told IBTimes UK it is "aware of an incident from 2016 involving Sports Direct", and that it would be "making enquiries".
Steve Turner, assistant general secretary at trade union Unite, told The Sun: "It's completely unacceptable that the workers affected appear not to have been informed and the data breach swept under the carpet.
"Sports Direct workers will be anxious to know what personal details have been hacked in this apparently serious data breach and why they weren't immediately informed about it by their employer. This is potentially sensitive and personal information.
"We will be immediately approaching the company for answers and further details about the potentially damaging impact of this on our members, as well as details about actions taken to ensure personal data is never compromised again."
A spokesperson for Sports Direct said: "We cannot comment on operational matters in relation to cybersecurity for obvious reasons. It is our policy to continually upgrade and improve our systems, and where appropriate we keep the relevant authorities informed."
The firm has over 450 stores in the UK, with roughly 18,000 staff. Its headquarters and warehouse are in Shirebrook, Derbyshire, including 200 permanent employees. The sports retailer also has over 3,000 agency workers, employed through two external agencies.
The firm was shrouded in controversy last year after a probe by The Guardian found staff were lambasted for not working fast enough, were earning below the minimum wage and that female staff were promised contracts in exchange for sexual favours.
After a damning report by UK members of parliament, a second review conducted by law firm RPC uncovered "serious shortcomings" at its warehouse. Sports Direct bosses have maintained they want to "give workers a voice", and ensure they are being treated with "dignity and respect".