UK-based sports fashion retailer JD Sports, which has offices and stores globally including in India, has been hit by a cyber-attack that could have affected up to 10 million online customers.
The attack is believed to have occurred in recent times, but information that may have been accessed by hackers, including names, billing and delivery addresses, as well as emails, phone numbers and order details are among the information accessed by hackers between November 2018 and October 2020. The final four digits of customers’ 16-digit payment cards were exposed.
In a notice filed to the London Stock Exchange’s Regulatory News Service the company said: “We have taken the necessary immediate steps to investigate and respond to the incident, including working with leading cyber-security experts.”
The attack affected customers at a number of the group’s brands including JD, Size?, Millets, Blacks, Scotts and MilletSport. The company described the impact as “limited” because the incident did not involve full payment card data and said there is “no reason to believe that account passwords were accessed.”
JD Sports also said that it is continuing to investigate the incident and has notified by the Information Commissioner’s Office, the United Kingdom’s data protection regulator.
“We are proactively contacting affected customers so that we can advise them to be vigilant to the risk of fraud and phishing attacks. This includes being on the look-out for any suspicious or unusual communications purporting to be from JD Sports or any of our group brands,” the notice added.
“We want to apologise to those customers who may have been affected by this incident. We are advising them to be vigilant about potential scam e-mails, calls and texts and providing details on how to report these,” the company’s chief financial officer, Neil Greenhalgh, said.
“We are continuing with a full review of our cyber security in partnership with external specialists following this incident. Protecting the data of our customers is an absolute priority for JD,” Greenhalgh added.
The incident is the latest in a string of cyber-attacks on major consumer-facing organisations across the world to have unfolded in the space of barely a month. From ransomware and phishing to supply chain attacks, cybercrime continued to create havoc in 2022.
According to a report published on 5 January, 2023 by cybersecurity firm Check Point Research, cyberattacks are increasing worldwide, with 38% more cyberattacks per week on corporate networks in 2022, compared to 2021. In the last three months of 2022 itself, multiple organisations such as cloud storage company Dropbox, Fintech company Revolut, messaging firm Twilio, ride-sharing service Uber, online password management service LastPass and hospitality group Marriott International, among others, have suffered from cyber-attacks.
More recently, on January 11, 2023 media group The Guardian reported it was hit by a “highly sophisticated” ransomware attack last month. Experts suggest that the magnitude and novelty of digital attacks this year will only get more aggressive.