UK sports apparel chain JD Sports is warning customers of a data breach after a server was hacked that contained online order information for 10 million customers.
In data breach notices shared by affected customers, the company warns that the “attack” exposed customer information for orders placed between November 2018 and October 2020.
JD Sports says it detected the unauthorized access immediately and responded quickly to secure the breached server, preventing subsequent access attempts.
However, the hackers were able to steal the data for approximately 10 million unique customers, which consisted of the following information:
- Full name
- Billing details
- Delivery address
- Email address
- Phone number
- Order details
- Four final digits of the payment card
This data could be used to launch phishing or social engineering attacks against exposed individuals.
“We are proactively contacting affected customers so that we can advise them to be vigilant to the risk of fraud and phishing attacks,” reads the incident report.
“This includes being on the lookout for any suspicious or unusual communications purporting to be from JD Sports or any of our group brands.”
JD Sports says it does not store full payment card details for online orders, so complete financial information cannot have been compromised. The same applies to account passwords, which the firm says it has no reason to believe were accessed.
The company informed the authorities about the security incident and filed a notice on the London Stock Exchange portal, explaining that the security incident also impacted the company’s sub-brands JD, Size?, Millets, Blacks, Scotts, and MilletSport.
Some notice recipients questioned JD Sports’ decision to maintain a historical record of online orders fulfilled over four years ago, increasing the chances it may suffer a data leak.
“Hi, got this email today. 1) Why are you storing data of orders nearly 5 years ago and 2) “limited data” that’s basically everything (circled),” commented a customer on Twitter, referring to the data breach notification shown above.
If you have an account on JD Sports, it would be advisable to reset passwords out of an abundance of caution.
Furthermore, if you might be using the same credentials on other online platforms, reset your passwords there too, and replace them with a strong and unique ones.
Finally, be on the lookout for targeted phishing emails that may use this stolen data to steal further information from customers.