JD Sports warns data of 10mn customers put at risk in cyber attack

Sportswear retailer JD Sports said it was the victim of a cyber attack that exposed the data of 10mn customers, in the latest of a spate of hacks on UK companies.

The chain said on Monday that the attack involved “unauthorised access” to a system that contained “the name, billing address, delivery address, email address, phone number, order details and the final four digits of payment cards”.

“We want to apologise to those customers who may have been affected by this incident,” said chief financial officer Neil Greenhalgh. “We are continuing with a full review of our cyber security in partnership with external specialists following this incident.”

The retailer said the hack specifically accessed data relating to customers’ online orders made between November 2018 and October 2020, with outdoor gear companies Millets and Blacks among the brands affected.

JD Sports said it did not save full payment details except for the last four digits of cards used. The company also said it had “no reason” to believe that customers’ passwords for the site were compromised, but said it was reaching out proactively to customers to warn them of the threat of phishing attacks by groups with access to their information.

The news is an unpleasant surprise for JD Sports, which earlier this month said it expected its profits to top £1bn for the first time in the next financial year on the back of record demand. Other UK companies to have suffered debilitating cyber attacks in recent weeks include Royal Mail and the Guardian.

Retailer Dixons Carphone, now known as Currys, was fined £500,000 by the Information Commissioner’s Office in 2020 over a data breach that compromised the personal data of more than 14mn consumers. Experts warned that the latest hack would lead to an increased danger of follow-up attacks on JD customers, most of whom are in the UK.

“The main issue is that significant volumes of personal identifying information have been compromised,” said Matt Hull, global head of threat intelligence at NCC Group, who described the amount of customer data exposed as “significant”. “That sort of information can be resold by criminals and resold on the dark web.”

A person close to the company denied that the attack was ransomware, in which a company’s data is held hostage by attackers, and said that attackers accessed data through a so-called “brute force” method, in which countless username and password variations are attempted until they manage to log in.

JD Sports’ shares were down 0.8 per cent to 160.3p in late-morning trading.