JD Sports facing cyber attack, confirms customer data may have leaked

Retail giant JD Sports has confirmed it has been the target of a cyber attack which has resulted in the unauthorised access to a system containing customer data.

The group noted that the information accessed related to online orders placed between November 2017 and October 2020, however added that the affected data was limited.

The incident has impacted a number of the group’s brands, including JD, Size?, Millets, Blacks, Scotts and MilletSport.

While JD Sports confirmed that it did not hold full payment card data, and does not believe that account passwords had been accessed, information that may have been retrieved consists of name, billing address, delivery address, email, phone number, order details and the final four digits of payment cards of approximately 10 million unique customers.

Around 10 million customers possibly impacted

In a regulatory filing, the group said it had taken “the necessary immediate steps to investigate and respond to the incident”.

It added that it is working with cyber security experts and engaging with the relevant authorities, including the UK’s Information Commissioner’s Office (ICO).

Affected customers are also being contacted and are being advised to remain vigilant to any risk of fraud and phishing.

Speaking on the matter, Neil Greenhalgh, chief financial officer of JD Sports, said: "We want to apologise to those customers who may have been affected by this incident.

“We are advising them to be vigilant about potential scam emails, calls and texts and providing details on how to report these. We are continuing with a full review of our cyber security in partnership with external specialists following this incident. Protecting the data of our customers is an absolute priority for JD."