JD Sports has warned customers that bought items on its website, as well as those of Size?, Blacks and Millets, between November 2018 and October 2020 may have been impacted in the breach.
The company has urged customers to be wary of potential phishing emails, calls and texts in the aftermath of the breach, while claiming they were proactively contacting those whose details were confirmed to be stolen. Paul Bischoff, Consumer Privacy Advocate at Comparitech echoed this sentiment, warning that “customers of JD and its affiliated brands should be on the lookout for targeted phishing messages from JD or a related company. These emails will attempt to get victims to click on a link or malicious attachment. The links might go imitation login pages where victims are tricked into handing over their passwords or payment info. Never click on links or attachments in unsolicited messages!”
While it is not believed that passwords or full payment card data was exposed, JD Sports has admitted that cybercriminals may have gained access to the final four digits’ of customers’ payment cards.
Neil Greenhalgh, CFO at JD Sports, apologised to affected customers and confirmed that the company is working to mitigate damages.
“We are continuing with a full review of our cyber security in partnership with external specialists following this incident. Protecting the data of our customers is an absolute priority for JD,” he said.
A spokesperson for the Information Commissioner’s Office later confirmed it was working with the retailer to get to the bottom of the breach.
“We have been made aware of a cyber incident involving the retailer JD Sports and we are assessing the information provided,” they said.
The breach comes amidst a spate of high-profile cyberattacks in recent weeks, including on the UK newspaper The Guardian and email marketing service Mailchimp. Jamie Akhtar, CEO and co-founder of CyberSmart, notes that “JD Sports is the latest British household name to fall prey to a cyber attack. And this really fits the trend we’re seeing; the current economic downturn has led to cybercriminals redoubling their efforts to steal potentially valuable personal data.”
Aside from economic downturn, some experts have cited a fluctuating technology landscape as key factor in these high-profile cyberattacks.
“The JD Sports cyber incident is a reminder for all organisations that globally we can expect an increase in breaches due to our digital dependence, especially as businesses recover from the COVID technology shifts, and continuing threat shifts. Sadly, whilst companies spent years solidifying their capabilities for GDPR, in the last couple of years data has become far more fragmented by quick shifts to the cloud,” said Greg Day, SVP and Global CISO at Cybereason.
Erfan Shadabi, Cybersecurity Expert at comforte AG, argued that cyberattacks on large retail and e-commerce businesses should come as no surprise, considering the enormous amount of sensitive personal data (PII) about existing and prospective customers, as well as their dependence on transactions to drive their business forward.
“Retailers and e-commerce organizations must absolutely assume that their environment is currently under attack and protect this sensitive data accordingly. Businesses in these sectors need to apply data-centric protection to any sensitive data within their ecosystem (PII, financial, and transactional) as soon as it enters the environment and keep it protected even as employees work with that data. By tokenizing any PII or transactional data, they can strongly protect that information while preserving the original data format, making it easier for business applications to support tokenized data within their workflows,” he said.