Huge mistake: Company gets breached, doesn’t inform the victims … its employees

Talk about bad employee morale. After a hacker breached 30,000 employees of Sports Direct, a British retailer, the company failed to take the next obvious step: letting those employees know about it. 

According to a report by The Register, last September a hacker successfully breached the company’s staff portal. From there, attackers were able to access the personal information of the thousands of company employees listed on the portal.

Although Sports Direct became aware of the breach in December, it never let its employees know about the intrusion. Its reasoning wasn’t particularly strong: It said that since there was no clear evidence the data had been copied or disseminated, it didn’t really see a reason to let employees know it may have been.

Be honest up front

Saying that you’d only let your employees know about a breach if you’re absolutely sure their information had been stolen is a tough argument to swallow.

And if you want your users to be an ally in reporting or finding attacks, you’ll need to show that trust is a two-way street. Informing them of breaches or potential breaches is a good way to make sure they do the same.

Remember: Covering up potential security breaches won’t work, and it won’t win you any friends. Honesty remains the best policy.