British sports clothing retailer JD Sports has reported a data breach that has affected more than 10 million customers.
The retailer said on January 30 that the data breach occurred after a malicious party gained unauthorized access to a system containing customer data relating to orders placed between November 2018 and October 2020. This included orders from other JD Sports group companies including JD, Blacks, Size?, Scotts, Millets and MilletSport.
JD Sports told the London Stock Exchange the data accessed was “limited” as the retailer “does not believe passwords were accessed” and does not save payment information. Information accessed during the breach may include names, email addresses, the last four digits of payment cards, delivery addresses, phone numbers, billing addresses and order details.
The company said it was “proactively contacting” those affected by the breach and urged all customers to remain vigilant for phishing attacks and fraud attempts following the breach.
Chief financial officer at JD Sports, Neil Greenhalgh, said: “We want to apologize to those customers who may have been affected by this incident…We are continuing with a full review of our cyber security in partnership with external specialists following this incident. Protecting the data of our customers is an absolute priority for JD.”
The sports fashion retailer said that it will be working with the relevant authorities including the UK Information Commissioner’s Office (ICO) to investigate the incident.