Sports Direct suffered a security breach in 2016 that saw the personal details of 30,000 of its staffers stolen, and reportedly failed to inform affected employees.
Hackers struck the British retailer in September, exploiting vulnerabilities in the firm's employee portal that was using a version of the DNN based content management system that had not been updated to include the latest security patch.
A source told The Register that hackers made away with information including names, email and addresses of 30,000 employees, but said it was unclear what had been done with the data.
According to the report, Sports Direct management found out about the attack in December but had still not made affected employees aware.
The ICO has said that it is aware of the issue, and would "be making enquiries."
A Sports Direct spokesperson said in a statement: "We cannot comment on operational matters in relation to cyber-security for obvious reasons. However, it is our policy to continually upgrade and improve our systems, and where appropriate we keep the relevant authorities informed."
David Emm, principal security researcher at Kaspersky Lab, has weight in on the incident, and has called out the firm for running dated software, and for presumably not carrying out regular security audits.
"Customers that entrust private information to the care of a business should be safe in the knowledge it is kept in a secure manner. Whilst security solutions significantly mitigate the risk of a successful attack, there are also other measures businesses can take in order to provide thorough protection," Emm said.
"These measures include running fully updated software, performing regular security audits on the website code and penetration testing the infrastructure. It's crucial that businesses ensure that all passwords are protected using secure hashing and salting algorithms.
"The best way for organisations to combat these types of cyber-attacks is at the beginning; by having an effective cyber-security strategy in place before the company becomes a target.
Emm adds that this hack underlines the importance of regulation and said that hopefully the soon-to-be-introduced GDPR will encourage firms to cough up when hackers have hit.
"This breach once again underlines the need for regulation. It's to be hoped that GDPR (General Data Protection Regulation), which comes into force in May 2018, will motivate firms to, firstly, take action to secure the customer data they hold, and secondly, to notify the ICO of breaches in a timely manner." µ
Q3 losses reverse Q2 gains
FBI briefing US companies to dump Kaspersky, claiming intelligence prove it a 'threat to national security'
Kaspersky rejects FBI accusations that its products are a 'threat to national security'
But breached contractor says that it simply didn't have that much data
EE follows Three in threatening legal action against Ofcom - but for entirely different reasons