A high street retail sports chain says stored information relating to 10m customers is at risk after a cyber attack.
Hackers may have obtained JD Sports‘ customers’ names, addresses, email accounts, phone numbers, order details and the final four digits of bank cards on online orders between November 2018 and October 2020.
Neil Greenhalgh, chief financial officer of JD Sports, said: “We want to apologise to those customers who may have been affected by this incident. Protecting the data of our customers is an absolute priority for JD.”
One cybersecurity expert said continued attacks erodes trust.
Muhammad Yahya Patel, Security Engineer at Check Point Software, said: “In this case, we see historic data has been affected, which raises questions regarding the volume of information being stored and what security is being implemented around it.
“As consumers, we trust retailers to secure our sensitive details. A breach of this size, or indeed any size, erodes that trust, which can be hard to recover.
“This is just another example of why transparent reporting is so critical. Without all the information, it’s impossible to learn and improve security measures at a macro level.”
Jonathan Compton, partner at city law firm DMH Stallard said: “The aggravating factors here are the numbers involved, the personal data accessed and the length of time since the infringement.
“JD Sports can expect fines up to the higher maximum permitted under Part 6 of the Data Protection Act 2018.
“The higher maximum amount is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.”