British retail giant JD Sports has confirmed that it was the target of a cyber attack that gave unauthorized access to a system containing customer data. The company said the information accessed related to online orders placed between November 2017 and October 2020, but added that the dates involved were limited.
The incident has affected a number of Group brands including JD, Size?, Millets, Blacks, Scotts and MilletSport.
While JD Sports confirmed it was not in possession of the full payment card details and therefore does not believe the accounts passwords were accessed, the information that may have been accessed consists of name, billing address, shipping address, email, phone number , order data and the last four digits of the payment cards of around ten million individual customers.
Around ten million customers may be affected
In a note to regulators, the group said it had taken “the necessary immediate steps to investigate and respond to the incident,” adding that it was also working with cybersecurity experts and relevant authorities, including UK Information Commissioner’s Office (ICO). The affected customers will also be contacted and asked to protect themselves against fraud and phishing.
JD Sports Chief Financial Officer Neil Greenhalgh said on the matter: “We would like to apologize to the customers affected by this incident. We advise you to be aware of possible fraudulent emails, calls and texts and how to report them. After this incident, we are conducting a comprehensive review of our cyber security in cooperation with external specialists. Protecting our customers’ data is an absolute priority for JD.”