JD Sports says 10 million customers hit by cyber-attack

Getty Images JD Sports shopfrontGetty Images

Sportswear chain JD Sports has said stored data relating to 10 million customers might be at risk after it was hit by a cyber-attack.

The company said information that "may have been accessed" by hackers included names, addresses, email accounts, phone numbers, order details and the final four digits of bank cards.

The data related to online orders between November 2018 and October 2020.

JD Sports said it was contacting affected customers.

The group said the affected data was "limited". It added it did not hold full payment card details and did not believe that account passwords were accessed by the hackers.

"We want to apologise to those customers who may have been affected by this incident," said Neil Greenhalgh, chief financial officer of JD Sports. "Protecting the data of our customers is an absolute priority for JD."

The attack related to online orders placed for the JD, Size?, Millets, Blacks, Scotts and MilletSport brands and it is understood it was detected by the company in recent days, but only the historical data was accessed.

The company said it was working with "leading cyber-security experts" and was engaging with the UK's Information Commissioner's Office (ICO) in response to the incident.

Mr Greenhalgh said affected customers were being advised "to be vigilant about potential scam e-mails, calls and texts".

Cyber-attacks have hit several UK companies in recent times. Royal Mail became the victim of a ransomware attack earlier this month which led to it halting post and parcel deliveries overseas.

In December, the Guardian newspaper was also targeted by a suspected ransomware attack.

Lauren Wills-Dixon, solicitor and an expert in data privacy at law firm Gordons, said retailers were among the most common targets for cyber-attacks because of the large amounts of customer data they hold, and said firms needed to do more to plan for them.

But she said the increased use of technology by the industry "to reduce overheads and streamline operations has raised the risk even further".

"In this new world, it's not 'if' but 'when' a cyber-attack will happen," she said.

A spokeswoman for the ICO confirmed it was aware of the attack and that it was assessing information provided by JD Sports.

Scott Nicholson, co-chief executive of cyber security company Bridewell, said it was seeing a rise in malicious software, known as "malware" being used by criminals to steal information from companies.

"It is good to see JD Sports stating that they are working with experts to help from a containment and recovery perspective, but once the dust has settled their comments of 'we take the protection of customer data extremely seriously' will be put to the test by the ICO," he added.