JD Sports security breach exposes info of 10 million customers

A global British athletic retailer was hit by a major cyberattack between 2018 and 2020.

In an official letter, JD Sports Fashion Plc disclosed that between November 2018 and October 2020, an online security breach resulted in “unauthorized access” to a system that contained customer data relating to some online orders placed during that time at its JD, Size?, Millets, Blacks, Scotts, and MilletSport banners.

According to the retailer, information that may have been accessed in the breach consists of the name, billing address, delivery address, email address, phone number, order details and the final four digits of payment cards of approximately 10 million unique customers. JD Sports said it does not hold full payment card data and has no reason to believe that account passwords were accessed.

In response, the retailer says it has taken steps including working with cybersecurity experts, cooperating with authorities including the U.K.'s Information Commissioner's Office (ICO). JD Sports is also contacting affected customers to advise them to be on the lookout for follow-up fraud and phishing attempts. The company has not specified how the breach occurred or when or how it was detected.

In the U.S., JD Sports operates retail brands including The Finish Line, Shoe Palace and Baltimore-based athletic footwear and streetwear retailer DTLR Villa. The retailer also operates a flagship in New York City’s Times Square. The U.S. market now accounts for more than a quarter of the company’s total sales.

[Read more: Britain’s JD Sports in $495 million deal to buy another U.S. retailer]

"We want to apologize to those customers who may have been affected by this incident,” said Neil Greenhalgh, CFO of JD Sports, in the letter. “We are advising them to be vigilant about potential scam e-mails, calls and texts and providing details on how to report these. We are continuing with a full review of our cyber security in partnership with external specialists following this incident. Protecting the data of our customers is an absolute priority for JD."

In commentary provided to Chain Store Age, Chris Phillips, senior security researcher, Devo Technology, said retail organizations with large e-commerce platforms offer an “enticing target” for global cybercriminals.

“Stolen customer databases can prove lucrative both from a monetary and practical standpoint,” said Phillips. “A fundamental pillar to an organization’s security posture is ensuring visibility into data generated by all levels of infrastructure. The first step to any incident response procedure is detecting the incident in the first place. Ensuring internal security teams have tools, visibility, and training to not only detect and respond to attacks but doing so in a timely manner can have drastic impact in reducing incident severity.”