British sportswear chain JD Sports is warning customers of a data breach after a server containing online ordering information for 10 million customers was hacked.
In data breach notices shared by affected customers, the company warns that the “attack” exposed customer information for orders placed between November 2018 and October 2020.
JD Sports claims to have immediately detected the unauthorized access and reacted quickly to secure the hacked server, preventing further access attempts.
However, the hackers were able to steal the data of approximately 10 million unique customers, which consisted of the following information:
- Full name
- Billing Details
- Delivery address
- E-mail address
- Phone number
- details of the order
- Last four digits of payment card
This data could be used to launch phishing or social engineering attacks against exposed individuals.
“We are proactively reaching out to affected customers to advise them to be vigilant against the risk of fraud and phishing attacks,” the statement said. incident report.
“This includes being on the lookout for any suspicious or unusual communications claiming to be from JD Sports or any of our group brands.”
JD Sports says it does not store full payment card details for online orders, so full financial information cannot have been compromised. The same goes for account passwords, which the company says it has no reason to believe have been accessed.
The company notified the authorities of the security incident and submitted a review on the London Stock Exchange portal, explaining that the security incident also impacted the company’s sub-brands JD, Size?, Millets, Blacks, Scotts and MilletSport.
Certain recipients of the notice interrogates JD Sports’ decision to keep a history of online orders made more than four years ago increases the risk of data leakage.
“Hi, I received this email today. 1) Why do you store order data from almost 5 years ago and 2) ‘limited data’ i.e. all (circled)” commented a customer on Twitter, referring to the data breach notification above.
If you have an account on JD Sports, it would be advisable to reset the passwords as a precaution.
Also, if you use the same credentials on other online platforms, also reset your passwords and change them to strong, unique passwords.
Finally, be on the lookout for targeted phishing emails that could use this stolen data to steal additional information from customers.