JD Sports is contacting about 10m customers whose data may have been accessed in a cyber attack.
The sports fashion retailer says in a statement today that there has been unauthorised access to a system containing customer data relating to some online orders that were placed between November 2018 and October 2020.
The data breach relates to orders placed at group brands including JD, Size?, Millets, Blacks, Scotts and MilletSport. The information that may have been accessed includes customer names, billing, delivery and email addresses, phone numbers, order details and the final four digits of payment cards belonging to about 10m unique customers.
JD Sports says it has taken immediate steps to respond to and investigate the incident. It has alerted the UK’s Information Commissioner’s Office (ICO) and other relevant authorities, and is also working with cyber security experts.
Neil Greenhalgh, chief financial officer of JD Sports, says: “We want to apologise to those customers who may have been affected by this incident. We are advising them to be vigilant about potential scam emails, calls and texts and providing details on how to report these. We are continuing with a full review of our cyber security in partnership with external specialists following this incident. Protecting the data of our customers is an absolute priority for JD.”
Analysis from the UK’s Office for National Statistics found in research carried in the winter of 2021/2022 that that 39% of UK businesses questioned said they had identified a cyber attack on their organisation during the preceding year. That’s the same level as the previous year although down from the 46% of businesses that said they had done so in 2020. Of those that had experienced an attack in 2022, 83% were phishing attempts and 21% were a more sophisticated attack, such as denial of service, malware or ransomware attack. Retailers including The Works have affected by cyber attacks in the last year.
Commenting, Lauren Wills-Dixon, solicitor and an expert in data privacy at law firm Gordons, says: “Retailers are among the most common targets for cybercriminals because their high volume of transactions – and therefore the volume of customer data they hold – makes them an attractive target. The increased use of technology by the industry to reduce overheads and streamline operations has raised the risk even further.
“JD Group have been quick to communicate to the historic customers affected, and alleviate any concerns about bank details being accessed. The test for reportability of a data breach to the Information Commissioner’s Office (ICO) and also any affected individuals is whether there is a real risk to people’s rights and freedoms (which catches most cyber-attacks). However organisations, especially retailers who are often bear the brunt of public criticism because of consumer-facing visibility, may also choose to contact customers to control the narrative from a PR perspective.
“In this new world, it’s not ‘if’ but ‘when’ a cyber attack will happen. Organisations need to plan accordingly by shifting focus from pure prevention to ongoing detection and response planning. This will ensure they can become more resilient and bounce back from attacks quickly.”
Immanuel Chavoya, emerging threat expert, at cyber security specialist SonicWall, says: “The recent breach of JD Sports is a stark example of the tireless work cyber criminals undertake to steal personal information. Not only does this breach damage their brand reputation, but it also puts customers in a vulnerable position when sensitive information is compromised like passport numbers, credit card details and more.
“Organisations must learn from breaches like this by taking the opportunity to ensure there are no gaps in their systems for criminals to leverage, stopping them at the edge before they have a chance to infiltrate the network. Once they’re in, they’re able to move laterally to identify the sensitive data that’s highly valued on the dark web.”