Breaking: JD Sports Data Breach Following Cyberattack

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Jan 30, 2023 04:34 am PST

JD Sports has issued a warning that a cyberattack that affected the company may have exposed the personal information of roughly 10 million customers, including personal contact information, such as phone and email addresses. The hack may have affected customers who ordered goods from the business between 2018 and 2020.

The company claimed that credit card information was secure and that there was no reason to believe that hackers had gained access to customer passwords. According to JD Sports, hackers gained access to a system that held customer data on orders between November 2018 and October 2020.

Brands including JD, Size?, Millets, Blacks, Scotts, and MilletSport are among those that are affected. We are aggressively getting in touch with concerned clients so that we can caution them about the possibility of fraud and phishing attacks.

Billing, shipping, email addresses, complete names, phone numbers, information on previous customer orders, and the last four digits of their credit cards may have been accessible to the intrusive party.

JD Alerts Users About Possible Fraudsters

JD cautioned customers to be on the lookout for any possible fraudsters who would use this information to target them and pose as JD representatives when calling, emailing, or messaging. Chief financial officer Neil Greenhalgh said, “We wish to apologize to all consumers who this occurrence may have impacted.

“We are giving them tips on how to report scam emails, calls, and texts and warning them to be on the lookout for potential scams.

“Following this event, we thoroughly examine our cyber security in collaboration with outside experts. JD states that protecting consumer data is a principal focus. The company declared that it would promptly get in touch with any clients whose data may have been compromised.

It is the most recent in a string of recently publicized cyberattacks against British businesses. Last Thursday, Royal Mail was able to resume providing corporate clients with signed overseas deliveries.

After being targeted by what was purportedly a ransomware attack, the organization was compelled to discontinue several international delivery choices.

On Monday, JD Sports stated: “We have worked with top cyber security specialists to analyze and respond to the situation, among other essential emergency steps.

“We are cooperating as needed with the appropriate agencies, including the UK’s Information Commissioner’s Office (ICO). The impacted consumers are being proactively contacted so that we can warn them to be on the lookout for fraud and phishing attacks.

“This includes keeping an eye out for any shady or strange emails claiming to be from JD Sports or any of our group businesses,” the statement continued.


After a cyberattack, millions of JD Sports customers are being warned about scams. The incident exposed names, email addresses, and credit card numbers. They are concerned about specific November 2018 –October 2020 internet orders. JD Sports, Size?, Millets, Blacks, Scotts, and MilletSport are affected. Now JD Sports, based in Bury, Greater Manchester, warns clients about fraudulent emails, calls, and messages. JD Sports’ chief financial officer, Neil Greenhalgh, apologized: We are warning people about scam emails, calls, and messages and offering information on how to report them. After this occurrence, we are reviewing our cyber security with external experts. JD prioritizes consumer data security.”

Notify of
7 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Debrup Ghosh
Debrup Ghosh , Senior Product Manager
InfoSec Expert
February 1, 2023 9:29 am

As Marc Andreessen said over a decade ago, “software is eating the world.” Now that software continues to consume and automate many areas of our personal and professional lives, we must also consider that cyberattacks are now eating software.

Every modern company across all industry verticals that either builds or utilises software is vulnerable to cyberattack. Personal information that is often the central focus of cyber theft can be leveraged for identity theft, and financial fraud, among others. 

At this point, the root cause for the JD Sports breach isn’t yet publicly available. However, this breach underscores that companies of all shapes and sizes need to take measures to protect the personally identifiable information of their customers.

At a minimum, consumers who believe they may have been impacted should consider changing their password and not re-use that password for more than one service. Organisations should implement defence mechanisms such as extended detection and response, advanced encryption, security audits, vulnerability testing, and employee training at a minimum to protect against external threats. Additionally, Boards of Directors for organisations can also impact positive change by mandating more comprehensive cybersecurity practices to ensure that the organisation is doing as much as possible to maintain trust in their software, so customers maintain trust in the brand.

Last edited 7 months ago by Debrup Ghosh
Keiron Holyome
InfoSec Expert
January 31, 2023 12:17 pm

“This attack on JD Sports underscores that the global cyber risk equally applies to British institutions and their supply chains. Data related to 10 million customers might now be at risk after the company was hit by a cyber-attack.” 

“Businesses should not have to suffer the effects of cyber-attacks. Endpoint detection and response (EDR) focused solutions take action too late and do not prevent breaches. Prevention is the best strategy. With a prevention-first and AI-driven approach, malware can be stopped in its tracks.” 

“A prevention-first security posture begins with neutralising malware prior to the exploitation stage of the kill-chain. By stopping malware at the exploitation stage, organisations can increase their resilience, reduce infrastructure complexity, and streamline security management. We do not believe that there needs to be victims.”  

Last edited 7 months ago by Keiron Holyome
John Davis
John Davis , Director UK & Ireland
InfoSec Expert
January 31, 2023 12:16 pm

“JD Sports’ data breach reminds us that no organisation is safe, and everyone has a role to play in digital fortification. Following a huge number of high-profile security breaches just in the past year, we’ve learnt that budget alone is not enough to implement adequate defences.

“Cybercriminals are levelling up. Their attacks are more prevalent, more sophisticated and harder to detect. Brand reputations and relationships with customers are on the line. Customers will reward businesses who can persuade them they are best equipped to manage their data.

“The golden rule to remember is that prevention is always better than cure. Power comes through knowledge about how cyberattacks could happen and flagging them to the UK’s national reporting centre for fraud and cybercrime. This is why cybersecurity training shouldn’t just be a tick box exercise, but an ongoing journey of education for us all.”

Last edited 7 months ago by John Davis
Dr. Darren Williams
Dr. Darren Williams , Founder and CEO
InfoSec Expert
January 31, 2023 12:15 pm

“Retailers are often seen as high value targets for cybercriminals as they typically have a wealth of customer data worth exfiltrating and any downtime is hugely destructive to their business.

Whilst we don’t yet know the nature of the attack on JD Sports, we do know that ransomware in the retail sector experienced a 67% increase over 2021. Whether the sector is being targeted for its customer data or because lack of investment in cybersecurity defenses has made them low hanging fruit for attackers, protecting customer data with third generation cybersecurity solutions is essential to avoid being the next victim.”

Last edited 7 months ago by Dr. Darren Williams
Mark Wojtasiak
Mark Wojtasiak , VP Product Strategy
InfoSec Expert
January 31, 2023 12:14 pm

“Although JD Sports says that affected data is ‘limited’, the breached database held sensitive customer data including delivery and billing addresses, email addresses, order details, and the final four digits of customer card details. With this treasure trove of customer information, cybercriminals can launch highly targeted and effective social-engineering attacks.
“JD customers will have to be extremely vigilant over the coming months, as they could receive professional-looking spoof emails that use their personal details to convince them to click on malicious files or links, or be tricked into giving up even more sensitive information.
“For JD or any organisation storing customer PII (personally identifiable information) this must be a lesson learnt. By the time attackers have been able to access and exfiltrate this kind of data, it’s already too late to stop the risk of phishing attacks against customers. Instead, organisations must shift their security strategy to focus on detection and response – spotting cybercriminal activity as early as possible in the attack chain, so they can stop attacks before they become breaches. Ultimately, by having ears and eyes closer to the ground, organisations will be in a better position to prioritize and stop attackers at the earliest possible stage”.”

Last edited 7 months ago by Mark.Wojtasiak

Recent Posts

Would love your thoughts, please comment.x