Personal data on up to 10 million people who shopped online at sporting goods and fashion retailer JD Sports has been accessed and potentially stolen by cyber criminals in a cyber incident of a currently unknown nature.
The incident, disclosed today (30 January), is understood to affect individuals who shopped online between November 2018 and October 2020 at six of the organisation’s brands, JD, Size?, Millets, Blacks, Scotts and MilletSport.
In a statement released to the London Stock Exchange, JD Sports said the affected data was “limited” in its scope and that no website user account passwords were accessed. It claims not to hold full payment card data on any of its customers.
At this time, the data known to have been accessed consists of names, billing and delivery addresses, email addresses and phone numbers, and the final four digits of payment cards used on JD Sports’ various websites.
“We want to apologise to those customers who may have been affected by this incident,” said JD Sports chief financial officer Neil Greenhalgh. “We are advising them to be vigilant about potential scam e-mails, calls and texts, and providing details on how to report these.
“We are continuing with a full review of our cyber security in partnership with external specialists following this incident. Protecting the data of our customers is an absolute priority for JD.”
The retailer said it was investigating and responding to the incident, and has already brought on board third-party cyber forensics experts, and engaged with the Information Commissioner’s Office in accordance with its legal obligations.
The retailer is proactively reaching out to customers it knows to be affected, and will be warning them to be extra vigilant in regard to potential risks to their own security, such as fraud attempts or targeted phishing attacks. It’s also warning people to be on the lookout for suspicious or unusual-looking communications that seem to come from JD Sports, or any of the other impacted brands.
In its letter to customers, a copy of which was shared with Computer Weekly, the retailer additionally said its security teams have responded “quickly” on discovering the incident, and that there had been no subsequent access to the compromised server.
JD Sports provided no further information as to the precise nature of the incident, and at the time of writing, there was no indication that the incident at JD Sports involves ransomware.
The incident is the latest in a string of cyber attacks on major consumer-facing organisations in the UK to have unfolded in the space of barely a month.
Most significantly, a suspected LockBit ransomware attack on Royal Mail continues to have ramifications for customers, with services still not fully operational nearly three weeks after the initial incident.
Other prominent victims have included the UK operation of US-headquartered casual dining giant Yum! Brands, which runs the KFC and Pizza Hut chains.
Meanwhile, immediately prior to Christmas 2022, The Guardian newspaper and car dealer Arnold Clark both fell victim to ransomware attacks. In Arnold Clark’s case, the attack was later claimed by the Play cyber extortion operation.