UK Markets closed

Ten million customer accounts at risk as JD Sports falls victim to cyber attack

Retail chain JD Sports Fashion has said annual profits will be towards the top end of expectations (Nicholas T Ansell/PA) (PA Wire)
Retail chain JD Sports Fashion has said annual profits will be towards the top end of expectations (Nicholas T Ansell/PA) (PA Wire)

JD Sports became the latest large business to admit it has fallen victim to a cyber attack that leaves 10 million customers potentially at risk.

The self-styled King of Trainers says it does not think account passwords were accessed and that it does not hold full payment card data.

Nevertheless it issued an apology.

Chief financial officer Neil Greenhalgh said: “We want to apologise to those customers who may have been affected by this incident. We are advising them to be vigilant about potential scam e-mails, calls and texts and providing details on how to report these. We are continuing with a full review of our cyber security in partnership with external specialists following this incident.”

The hack compromised online orders placed between November 2018 and October 2020. The affected brands are JD, Size?, Millets, Blacks, Scotts and MilletSport.

The hack follows similar incidents at Royal Mail and The Guardian.

Retailers are said by experts to be likely targets for cyber attacks since they hold so much customer data.

In an email to customers, JD said: “We take the protection of customer data extremely seriously and we are sorry this has happened."

Keiron Holyome at BlackBerry said:

“This attack on JD Sports underscores that the global cyber risk equally applies to British institutions and their supply chains. Data related to 10 million customers might now be at risk after the company was hit by a cyber-attack.”

It could face a fine of more than £17 million.

Jonathan Compton city law firm DMH Stallard said: "The aggravating factors here are the numbers involved, the personal data accessed and the length of time since the infringement. JD Sports can expect fines up to the higher maximum permitted under Part 6 of the Data Protection Act 2018.

"The higher maximum amount is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher."

John Davis at the SANS Institute said: "JD Sports’ data breach reminds us that no organisation is safe, and everyone has a role to play in digital fortification. Following a huge number of high-profile security breaches just in the past year, we’ve learnt that budget alone is not enough to implement adequate defences. Cybercriminals are levelling up. Their attacks are more prevalent, more sophisticated and harder to detect. Brand reputations and relationships with customers are on the line. Customers will reward businesses who can persuade them they are best equipped to manage their data.”