British retailer JD Sports reveals 2-year-old intrusion affecting data of 10 million customers

JD Sports store

British sportswear retailer JD Sports announced Monday that data belonging to approximately 10 million unique customers was compromised in a cyberattack that began last decade.

Names, billing and delivery addresses, as well as emails, phone numbers and order details are among the information accessed by hackers between November 2018 and October 2020.

The company did not disclose how the incident was uncovered, why it ended in October 2020 — 27 months ago — nor why it was only being confirmed now.

In a notice filed to the London Stock Exchange’s Regulatory News Service the company said: “We have taken the necessary immediate steps to investigate and respond to the incident, including working with leading cyber security experts.”

The attack affected customers at a number of the group’s brands including JD, Size?, Millets, Blacks, Scotts and MilletSport. Shares in JD Sports Fashion Plc were trading down less than 1% following the disclosure.

The company described the impact as “limited” because the incident did not involve full payment card data and said there is “no reason to believe that account passwords were accessed.”

The final four digits of customers’ 16-digit payment cards were exposed.

JD Sports said that it is continuing to investigate the incident and has notified by the Information Commissioner’s Office, the United Kingdom’s data protection regulator.

“We are proactively contacting affected customers so that we can advise them to be vigilant to the risk of fraud and phishing attacks. This includes being on the look-out for any suspicious or unusual communications purporting to be from JD Sports or any of our group brands,” the notice added.

The company’s chief financial officer, Neil Greenhalgh, said: “We want to apologize to those customers who may have been affected by this incident. We are advising them to be vigilant about potential scam e-mails, calls and texts and providing details on how to report these.

“We are continuing with a full review of our cyber security in partnership with external specialists following this incident. Protecting the data of our customers is an absolute priority for JD,” Greenhalgh added.

Article Link: British retailer JD Sports reveals 2-year-old intrusion affecting data of 10 million customers - The Record from Recorded Future News