British sports retail chain JD Sports recently warned customers that it had suffered a data breach when a server containing online order information was hacked. As a result, the data of around 10 million customers was compromised.

Personal data exposed in the attack

In the breach notice sent by JD Sports to impacted customers, the UK enterprise warned that the cyber-attack caused the exposure of information related to customer orders submitted between November 2018 and October of 2020.

The retailer stated that it had immediately detected the unauthorised access and responded swiftly to secure the compromised server, mitigating any further attempts at access. However, during infiltration, the hackers behind the attack managed to steal the personal data of about 10 million JD Sports customers. The information included the full names of customers, along with their billing details, email and delivery addresses, personal phone numbers and order details. It also included the last four digits of their chosen payment cards.

This is exactly the type of data employed by malicious actors when launching social engineering and phishing attacks, although many threat operators harvesting such personal information will also opt to sell it to the highest bidder via online auctions on the dark web.

An incident report from JD Sports confirmed that the company is now proactively contacting impacted customers and advising them to act with vigilance regarding the risk of phishing attacks and other attempts at fraud. This includes remaining watchful of any unusual or suspicious communications that state they are from JD Sports or its associated group brands.

The retail company states that it never stores complete payment card details for orders placed online, making the compromise of financial information impossible. It uses the same approach to user account passwords, which it believes were not accessed during the server attack.

Actions and measures following a data leak

JD Sports informed the UK authorities regarding the security incident, but also filed an official notice on the portal of the London Stock Exchange, explaining how the event also affected the enterprise’s sub-brands, including Size?, Blacks, Millets, MilletSport and Scotts.

Chief Financial Officer for JD Sports, Neil Greenhalgh, commented:

“We want to apologise to those customers who may have been affected by this incident. We are advising them to be vigilant about potential scam e-mails, calls and texts and providing details on how to report these. We are continuing with a full review of our cyber security in partnership with external specialists following this incident. Protecting the data of our customers is an absolute priority for JD.”

Despite the assurances from JD Sports, UK consumers that possess an account with the retailer are advised to reset their personal passwords as soon as possible as an added precaution. Additionally, if they are using identical usernames and passwords on other platforms online, these details should be revised with unique and strong credentials that are tough to crack.

Finally, account holders should stay on the look-out for spear phishing emails employing their stolen data to obtain more personal information with malicious intent.