In its data breach notice issued on 30 January 2023, the UK retailer JD Sports informed around 10 million customers that their personal information may have been compromised in a cyberattack. The cyber attack affected online shoppers who made purchases on JD Sports websites for six of its sportswear and outdoor gear retail brands between November 2018 and October 2020. The information security breach resulted in hackers obtaining customer names, billing addresses, shipping addresses, email addresses, phone numbers, and order details, as well as the last four digits of payment cards.
The company said it did not keep full payment card data and therefore company had “no reason to believe that the passwords for accounts were compromised”. The company stated that full payment data and passwords were not stored and therefore could not have been compromised. JD Sports took immediate steps towards cybersecurity management on the breached server. โWe are continuing with a full review of our cybersecurity in partnership with external specialists following this incident,โ said the firms chief financial officer, Neil Greenhalgh.
The company declined comments on when the data breach began, or when it the cyber threat was discovered, or where any affected customers were located. JD Sports said in its breach notice that it had informed Britains Office for the Information Commissioner, which oversees the UKs General Data Protection Regulation. Under the GDPR, as soon as an organisation believes that it might suffer from a personal data breach, it has to alert the appropriate authorities within 72 hours.
