JD Sports has confirmed that a cyber-attack that hit the company between 2018 and 2020 may have resulted in the data leak of 10 million customers.
The company said this in an email sent to users earlier today and seen by Infosecurity.
“We wish to inform you about a security incident involving the data of some customers of JD Group brands who placed orders with us between November 2018 and October 2020. Our records show that you may be affected,” reads the email.
According to JD Sports, the company was the target of an attack that resulted in unauthorized access to a system that contained historical customer data relating to some online orders placed between November 2018 and October 2020.
“Our security team responded quickly, and there has been no subsequent unauthorized access to this server. We are engaging with the relevant authorities as necessary.”
The company said the accessed information included full names, delivery and billing addresses, email addresses, phone numbers and the final four digits of payment card and/or order details.
“Disclosing the breach is the right thing to do and necessary, but it can also help the hackers by priming the customers for a password reset email that will trick them into divulging their passwords and payment information,” commented Lior Yaari, CEO and co-founder of Grip Security. “There is likely to be additional fallout from this breach that will play out in the future.”
While the breach is relatively old, Jamie Cameron, security consultant at Adarma, said JD sports customers should change their passwords for their JD Sports account and any site on which they use the same email and password combination to prevent credential-stuffing attacks.
“They should also keep an eye out for any unusual card transactions. Customers should be especially vigilant against phishing attacks,” Cameron told Infosecurity in an email.
The breach disclosure comes weeks after American fast food restaurant chain Five Guys confirmed a separate data breach affecting customer data.