JD Sports, a British sports apparel brand with stores all over the world, disclosed that hackers obtained information on “approximately 10 million unique customers.” The business claims customers are in danger of fraud because of a system with client data “related to some online orders done between November 2018 and October 2020.”
The company, which has hundreds of physical locations throughout several nations and trades on the London Stock Exchange, is primarily controlled by the Pentland Group of London. In a Monday data breach notification, it said that the security incident impacts online consumers of six of its sports fashion and outdoor wear shop brands: JD, Size?, Millets, Blacks, Scotts, and MilletSport.
A customer’s name, billing address, delivery address, email address, phone number, and order details are the information exposed. The final four digits of a customer’s payment card are also included. According to the business, partial payment card data is not stored. The firm “has no reason to believe that account passwords were accessed.”
Customers are urged to be on the watch for any suspicious or odd emails claiming to be from JD Sports or any of our group brands, per a statement from JD Sports. Customers’ alerts indicate that the breach appears to have affected people in the UK and several other nations.
“We are continuing with a full review of our cybersecurity in partnership with external specialists following this incident,” said company Chief Financial Officer Neil Greenhalgh.
According to its 2022 annual report, JD Sports runs 3,402 outlets across its many brands in 32 countries. Most of the company’s retail locations are in the UK, although several are in Ireland and other EU countries. Additionally, JD Sports has shops throughout North America, Canada, and Asia-Pacific. The business chose not to comment on the breach’s duration, how it was discovered, or the locations of all impacted consumers.
According to JD Sports’ breach notification, the U.K. General Data Protection Regulation’s enforcement body, the Information Commissioner’s Office, was contacted. Given that some of the exposed data is already more than four years old, one legal concern surrounding the JD Sports breach will be whether the corporation was adhering to GDPR’s data minimization standards. Under GDPR, a competent authority must be notified within 72 hours if a company suspects a personal data breach has occurred. Any business that gathers or handles personal data must do so lawfully, just as much as is necessary, and promptly erase the information.