JD Group said the threat actor accessed a server that held the data of some customers who placed online orders between November 2018 and October 2020. The threat actor used brute force to breach the company’s systems. In total, about 10 million customers were affected by this incident, the company said. The affected JD Sports brands include JD, Size?, Millets, MilletSport, Blacks, and Scotts. In its email, JD Group said the incident exposed “limited” customer information. “The affected data is limited. We do not hold full payment card details and we do not believe account passwords were accessed,” the statement said. JD Sports did not store customers’ login details on the same server. “We want to apologise to those customers who may have been affected by this incident. We are advising them to be vigilant about potential scam e-mails, call and texts and providing details on how to report these. We are continuing with a full review of our cyber security in partnership with external specialists following this incident. Protecting the data of our customers is an absolute priority for JD,” Neil Greenhalgh, JD Sports chief financial officer, said. JD Group has over 3,400 stores in 32 countries. While a majority of the affected customers are based in the UK, some may be in other countries where the company operates.
Leaked Personal Data
According to JD Group, the affected server contained historical customer data. This includes a database with customers’ full names, delivery and billing addresses, email addresses, phone numbers, order details, and the last four digits of credit/debit cards. JD Group became aware of the breach late last year but only recently discovered the extent of the unauthorized access. JD Group said its security team responded swiftly to block unauthorized access to the server. The company also said it is “engaging” with the relevant authorities. “I haven’t shopped with any of JD’s brands in years, and I don’t normally shop in their stores. As a result, I’ll be honest – I have no idea how or when the company obtained my data,” Christopher Bluvshtein, a cybersecurity expert at VPNOverview, who is among the affected customers, said. “To me, it’s just a reminder of how long our data can sit in vast company databases and come back to bite us, and how hard it is to track who has your information. It’s another reminder of why it’s so important to be vigilant about what data we’re providing and to whom.”
‘Remain Vigilant’
JD Group has advised affected customers to be vigilant of scam calls, texts, and emails from cybercriminals posing as representatives of the company. “While you do not need to take any specific action, please remain vigilant to fraud attempts and be alert for any suspicious emails, calls or texts which say they are from JD Sports or any of our Group brands,” JD Group said. “Avoid clicking on links in any unexpected emails or texts.” Cybercriminals often use leaked personal data like names, phone numbers, and email addresses to launch convincing phishing attacks. In recent years, we’ve seen social engineering attacks become increasingly sophisticated. Last year, the IRS warned of a sharp rise in SMS phishing attacks. Attackers continue to find new ways to trick users into clicking malicious links or giving up confidential information. The best way to stay protected is to exercise caution and educate yourself about the common threats. For more information, check out our detailed explainer on phishing. While JD Group says it’s unlikely the breach exposed customers’ passwords, we recommend resetting your passwords out of an abundance of caution. Ensure you’re using unique, secure passwords for all your accounts. Also, keep an eye out for any unauthorized transactions or accounts opened in your name.