JD Sports Fashion Plc (JD Sports) has been the target of a cyber incident which resulted in the unauthorised access to a system that contained customer data relating to some online orders placed between November 2018 and October 2020.
Image copyright Shutterstock
The details of 10 million customers of the affected JD Sports group brands - JD, Size?, Millets, Blacks, Scotts and MilletSport - could have been taken.
The affected data is limited, as JD Sports does not hold full payment card data and, further, has no reason to believe that account passwords were accessed. The information that may have been accessed consists of the name, billing address, delivery address, email address, phone number, order details and the final four digits of payment cards of approximately 10 million unique customers.
JD Sports says it has taken the necessary immediate steps to investigate and respond to the incident, including working with leading cyber security experts. It is engaging with the relevant authorities, including the UK's Information Commissioner's Office (ICO).
It is also in the process of proactively contacting affected customers so that it can advise them to be vigilant to the risk of fraud and phishing attacks. This includes being on the look-out for any suspicious or unusual communications purporting to be from JD Sports or any of its group brands.
Neil Greenhalgh, Chief Financial Officer of JD Sports, said: "We want to apologise to those customers who may have been affected by this incident. We are advising them to be vigilant about potential scam e-mails, calls and texts and providing details on how to report these. We are continuing with a full review of our cyber security in partnership with external specialists following this incident. Protecting the data of our customers is an absolute priority for JD."
Marijus Briedis, cybersecurity expert at NordVPN, commented: “The scale of the JD Sports attack is hugely concerning and will have millions of online shoppers fearing that they’re in the cross hairs of hackers.
“While no customer passwords are believed to have been compromised, the breadth of information that has been stolen, from email addresses to phone numbers, could make it a very lucrative raid. Details like this are in high demand on the dark web, where knowing the last few digits of a person’s credit or debit card could be the foundation of a future phishing scam.
“As the customer data that has been targeted dates back to orders placed several years ago it could be that it was stored separately to live transactions. In the wake of the pandemic many businesses have introduced new cloud-based methods of storage, making them accessible remotely and less reliant on physical infrastructure like external drives.
“While the rush to the cloud is taking place, bad actors are increasingly focusing their sights away from hardware and instead looking for gaps in cloud services to exploit. These could be as simple as keeping the default password on a system account or failing to encrypt the stored data properly.”