JD Sports Details Data Breach Affecting 10 Million CustomersExposed: Online Customer Details, But Not Complete Payment Card Data
JD Sports, a British-based sports fashion retailer with outlets around the globe, says hackers stole data pertaining to "approximately 10 million unique customers."
The company says the breach stems from a system containing customer data "relating to some online orders placed between November 2018 and October 2020" and that customers are at risk from scammers.
The company, which trades on the London Stock Exchange and is majority owned by London-based Pentland Group, operates thousands of physical stores in multiple countries.
In a Monday data breach notification, the company says the security incident affects online customers of six of its sports fashion and outdoor clothing store brands: JD, Size?, Millets, Blacks, Scotts and MilletSport.
Exposed information includes a customer's name, billing address, delivery address, email address, phone number and order details. It also includes the last four digits of a customer's payment card. The company says it does not store full payment card data.
The company "has no reason to believe that account passwords were accessed."
JD Sports is warning customers to be "on the lookout for any suspicious or unusual communications purporting to be from JD Sports or any of our group brands."
Based on notifications received by customers, the breach appears to affect individuals in the United Kingdom and multiple other countries.
"We are continuing with a full review of our cybersecurity in partnership with external specialists following this incident," said company Chief Financial Officer Neil Greenhalgh.
Across all of its different brands, JD Sports operates 3,402 stores in 32 territories, according to its 2022 annual report. The company's stores are predominantly located in the U.K., and are also in Ireland and other parts of the EU. JD Sports also operates stores in Asia-Pacific, the United States and Canada.
The company declined to comment on when the breach began, when it was detected and how, and where all affected customers reside.
JD Sports in its breach notification says it has notified Britain's Information Commissioner's Office, which enforces the U.K. General Data Protection Regulation. Under GDPR, once an organization believes it may have suffered a breach of personal data, it must alert a relevant authority within 72 hours.
One regulatory question to be answered about the JD Sports breach will be if the company was complying with GDPR's data minimization rules, given that some of the exposed data is now more than four years old. Under GDPR, any organization that collects or processes personal data must collect only as much as it needs - and is allowed - and delete the data in a timely manner.