JD Sports, a major retailer of high-end sports apparel, has confirmed that it was the victim of a major cyberattack that gave hackers access to client data without authorisation.
The company claimed that the problem, which affected some online orders placed by buyers between November 2018 and October 2020, specifically related to purchases of the company’s sub-brands, including JD, Size?, Millets, Blacks, Scotts, and Millets Sport brands.
JD Sports also claims it noticed the unauthorised access instantly and acted quickly to protect the compromised system, blocking further hacking attempts.
The name, billing and delivery addresses, phone number, email, and order details of the consumer are among the information that has been made public. It also contains the final four numbers of a customer’s credit or debit card. According to the company, it doesn’t save complete credit card information.
Attacks using phishing or social engineering might be launched against those who have been exposed using this information.
The company said it was reaching out with compromised customers and alerting them to possible scams after notifying the Information Commissioner’s Office about the security breach.
Some users criticised JD Sports’ choice to keep a historical record of online orders placed more than four years ago, posing the threat of a data breach.
Neil Greenhalgh, the chief financial officer of JD Sports said in a report:
We want to apologise to those customers who may have been affected by this incident. We are advising them to be vigilant about potential scam emails, calls and texts and providing details on how to report these.
The ICO confirmed knowledge of the attack and said it was assessing data given by JD Sports. Malicious software, sometimes known as “malware,” is increasingly being used by hackers to steal data from businesses, according to Scott Nicholson, co-chief executive of the cyber security firm Bridewell.
He continued by saying:
It is good to see JD Sports stating that they are working with experts to help from a containment and recovery perspective, but once the dust has settled their comments of ‘we take the protection of customer data extremely seriously’ will be put to the test by the ICO.
JD Sport’s Recommendations
It is recommended to reset passwords if you have a JD Sports account immediately. Replace your passwords with strong, one-of-a-kind ones if you are using the same login information on other online sites.
JD advised customers to take precautions around any possible fraudsters who would use compromised data to target customers and pose as JD representatives over the phone, via email, or via text message.
Never respond to pressure from an email or a caller that warns significant consequences if you don’t quickly submit or confirm banking information. Instead of using the link in the email sent, if you think the contact is authentic, go directly to the company’s website by manually typing the address from your memory or selecting a page you’ve already saved.
Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.