JD Sports says data of 10m customers may have been accessed in hack

30 Jan 2023

Image: © 1take1shot/Stock.adobe.com

JD Sports said the accessed data includes customer names, addresses, emails, phone numbers and the final four digits of payment cards.

Sports and fashion retailer JD Sports said the details of 10m customers were potentially accessed in a recent cyberattack.

The data breach relates to online orders placed between November 2018 and October 2020 for several of the retailer’s brands. The company said its affected brands are JD, Size?, Millets, Blacks, Scotts and MilletSport.

The retailer said the compromised information includes customer names, billing addresses, delivery addresses, email addresses, phone numbers, order details and the final four digits of payment cards.

This type of data can be used by hackers in phishing attacks, which is when criminals try to trick people into revealing sensitive data or installing malware.

JD Sports said it is contacting affected customers to warn them about the increased risk of phishing attacks. In a company statement, the CFO Neil Greenhalgh apologised to customers who may have been affected and said details are being shared on how to report potential scam emails, texts and calls.

“We are continuing with a full review of our cyber security in partnership with external specialists following this incident,” Greenhalgh said.

The retailer said it does not hold the full details of payment cards and does not believe account passwords were accessed from the cyberattack. The company also said it is engaging with the UK’s Information Commissioner’s Office (ICO) on the incident.

JD Sports – which has stores across Ireland – is the latest in a series of high-profile cyberattacks to impact the country.

Earlier this month, the UK postal service Royal Mail became temporarily unable to send items overseas after being disrupted by a “cyber incident”. Two cabinet ministers had their Twitter accounts hacked the week before this attack.

This followed a serious IT incident that hit The Guardian last December, which the paper later confirmed was a ransomware attack.

Oz Alashe MBE, the CEO of risk management platform CybSafe, said the retail and manufacturing sectors appear to be the most vulnerable to cyberattacks, based on the company’s analysis of ICO data.

“Within the retail sector, trust is essential,” Alashe said. “Customers want to be confident that their personal information is protected, especially in the new age of online shopping.

“As a result, retailers must ensure that their employees are equipped with the right tools and education to display positive security behaviours.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com