10 million customers exposed in JD Sports cyber attack

Fashion retailer JD Sports has been hit with a cyber attack that has exposed information on millions of customers.

In a statement confirming the incident, the company revealed that up to 10 million customer accounts may have been compromised in the attack.

Exposed information is believed to include names, phone numbers, order details, billing and delivery addresses, and the final four digits of payment cards.

An investigation by the company found that exposed information pertains to online customer orders made between November 2018 and October 2020.

A number of brands within the group appear to have been impacted in the attack, including Size?, Blacks, Scotts, and Millets.

The retailer added that “affected data is limited”, however, and that at present there is no reason to believe that customer account passwords were accessed.

“JD Sports does not hold full payment card data and, further, has no reason to believe that account passwords were accessed,” the retailer said in a statement.

JD Sports’ chief financial officer, Neil Greenhalgh, apologised for the incident and urged users to be prepared for a potential spike in phishing emails in the wake of the incident.

“We want to apologise to those customers who may have been affected by this incident,” he said. “We are advising them to be vigilant about potential scam emails, calls and texts and providing details on how to report these.

“We are proactively contacting affected customers so that we can advise them to be vigilant to the risk of fraud and phishing attacks. This includes being on the lookout for any suspicious or unusual communications purporting to be from JD Sports or any of our group brands.”

JD Sports said it has informed the Information Commissioner’s Office (ICO) of the incident and is working closely with security partners to mitigate the impact on customers.

“We are continuing with a full review of our cyber security in partnership with external specialists following this incident,” Greenhalgh said. “Protecting the data of our customers is an absolute priority for JD.”

JD Sports attack: Retailers in the crosshair

The JD Sports is the latest major security incident to affect UK retailers in the space of a year.

In April 2022, book retailer The Works fell victim to a cyber attack which forced the closure of dozens of stores across the UK.

The incident crippled the company's internal systems, resulting in widespread delays to customer delivery orders and preventing the company from resupplying stores.

Retailers have become an increasingly lucrative target for cyber criminals, research shows.

A study last year by SonicWall found that the retail sector saw a 264% surge in ransomware attacks between February 2021 and 2022.

The widespread consumer shift to online shopping during the pandemic prompted hackers to escalate attacks against online retailers.

Lauren Wills-Dixon, solicitor and an expert in data privacy at law firm Gordons said retailers are now key targets for cybercriminals due to the volume of consumer data they process and hold.

“Retailers are among the most common targets for cybercriminals because their high volume of transactions – and therefore the volume of customer data they hold - makes them an attractive target,” she said. “The increased use of technology by the industry to reduce overheads and streamline operations has raised the risk even further.”