Data of 10m customers may have been stolen in JD Sports 'hack'

Major data breach for 10million JD Sports customers: Personal details – including addresses, phone numbers and email addresses – may have been stolen after retailer was targeted by hackers

  • Personal information of 10 million customers at risk following JD Sports leak 
  • Card payment details are safe but addresses, phone numbers and emails are not 

JD Sports has warned that around 10 million customers their personal data may have been compromised after hackers targeted the retailer.

Online shoppers who used websites for JD Sports, Size? or Black and Millets between November 2018 and October 2020 may have had their personal data hacked.

The firm today confirmed home addresses, phone numbers and emails were stolen as pat of the major data breach, although card details and passwords are not believed to be at risk.

JD Sports warned customers to remain vigilant to the risk of fraudulent activity as its chief financial officer today apologised to those affected by the data breach.

JD Sports has warned that around 10 million people might have had their addresses, phone numbers and email addresses among other things stolen in a hack that hit the retailer 

Hackers accessed a system which contained information on orders placed between November 2018 and October 2020 by JD Sports customers, the company said. 

The intruders could have gained access to billing, delivery and email addresses, full names, phone numbers, details of orders that customers have placed, and the final four digits of their payment cards.

JD warned customers to be vigilant against any potential fraudsters who could use this information to target shoppers, and convince the customers that they are calling, emailing or texting from JD.

‘We want to apologise to those customers who may have been affected by this incident,’ said chief financial officer Neil Greenhalgh.

‘We are advising them to be vigilant about potential scam emails, calls and texts and providing details on how to report these.

‘We are continuing with a full review of our cyber security in partnership with external specialists following this incident.

‘Protecting the data of our customers is an absolute priority for JD.’

The business said that it would proactively contact customers whose data might have been taken in the breach. 

Companies caught up in data breaches can be hit with large fines by the Information Commissioner’s Office. 

A hacker group linked to Russia was behind a cyber attack on Royal Mail. Pictured: Royal Mail’s Heathrow distribution centre, December 18, 2018

It fined British Airways was a record £20m after the personal data of more than 400,000 customers and staff was stolen in 2020.

Marriott International hotels was also fined £18.4m the same year after hackers stole millions of guest records.

A spokesman for JD Sports said on Monday: ‘We have taken the necessary immediate steps to investigate and respond to the incident, including working with leading cyber security experts.

‘We are engaging with the relevant authorities, including the UK’s Information Commissioner’s Office (ICO), as necessary.

‘We are proactively contacting affected customers so that we can advise them to be vigilant to the risk of fraud and phishing attacks.

‘This includes being on the lookout for any suspicious or unusual communications purporting to be from JD Sports or any of our group brands.’

It is the latest in a series of recent high-profile cyber attacks on British companies.

Last Thursday, Royal Mail was able to resume international signed deliveries for business customers.

The parcel and delivery firm warned that it had experienced ‘severe disruption’ and was unable to send millions of letters and parcels overseas for weeks due to a ‘cyber incident’ by a cell of hackers believed to be linked to Russia.

Motorists who use Arnold Clark also had information including addresses, passports and national insurance numbers leaked on the dark web by criminal gang Play.

The Guardian newspaper was also subject to a ransomware attack in December 2022 – after staff’s personal details were targeted in a ‘highly sophisticated’ cyber attack.

Source: Read Full Article