JD Sports, the high street sports fashion retail giant, has confirmed that it was targeted in a successful cyber-attack that has resulted in unauthorized access to customer data. How much data? A JD Sports Fashion Plc spokesperson told me the number could be “approximately 10 million unique customers.” Here’s what we know so far.
JD Sports security incident disclosure email
In an email to customers, seen by this reporter, the JD Sports Group has confirmed that a security incident, which may impact as many as 10 million customers, gave attackers access to data including “full name, delivery and billing address(es), email address, phone number, final 4 digits (only) of payment card and/or order details.”
According to the email, the data is from a database containing orders placed between November 2018 and October 2020
JD Sports Fashion Plc statement to the press
In a statement emailed to me by a JD Sports Fashion Plc spokesperson, the organization confirmed that the affected JD Sports group brands are “JD, Size?, Millets, Blacks, Scotts and MilletSport.” The statement also added that JD Sports do not hold full payment card details, and the company “has no reason to believe that account passwords were accessed.”
Obviously, being a cybersecurity specialist, I would advise all customers of any of those brands to change their passwords as soon as possible, regardless.
We take your security seriously
“We want to apologize to those customers who may have been affected by this incident,” Neil Greenhalgh, the chief financial officer of JD Sports, said, adding that advice is being sent for them to be vigilant regarding scam emails, calls, and texts. While a full security review is continuing, including help from external specialists, Greenhalgh somewhat predictably said, “protecting the data of our customers is an absolute priority for JD.”
Security experts offer advice to concerned customers
John Davis, the U.K. and Ireland director at the SANS Institute, says, “cybercriminals are levelling up. Their attacks are more prevalent, more sophisticated, and harder to detect. Brand reputations and relationships with customers are on the line. Customers will reward businesses who can persuade them they are best equipped to manage their data. The golden rule to remember is that prevention is always better than cure. Power comes through knowledge about how cyberattacks could happen and flagging them to the UK’s national reporting centre for fraud and cybercrime.”
Meanwhile, Javvad Mailk, lead security awareness advocate at KnowBe4, advises users to “be mindful of any emails or messages they receive which may claim to be from JD Group. Criminals are always looking to piece together information from breaches to create convincing and authentic phishing scams. If anyone receives such emails, they should not respond and rather seek to verify the authenticity directly with the company.”
The incident disclosure email sent to customers informed those wishing to report any suspicious activity should do so by contacting Action Fraud, the national fraud and cybercrime reporting center for the U.K. “If you would like to contact us about this matter, you can email us at [email protected]” the email concluded.