General Data Protection Regulation (GDPR) , Standards, Regulations & Compliance

JD Sports Details Data Breach Affecting 10 Million Customers

Exposed: Online Customer Details, But Not Complete Payment Card Data
JD Sports Details Data Breach Affecting 10 Million Customers
Image: Samuel Wiki/CC0 1.0

JD Sports, a British-based sports fashion retailer with outlets around the globe, says hackers stole data pertaining to "approximately 10 million unique customers."

See Also: Expert Panel | Data Classification: The Foundation of Cybersecurity Compliance

The company says the breach stems from a system containing customer data "relating to some online orders placed between November 2018 and October 2020" and that customers are at risk from scammers.

The company, which trades on the London Stock Exchange and is majority owned by London-based Pentland Group, operates thousands of physical stores in multiple countries.

In a Monday data breach notification, the company says the security incident affects online customers of six of its sports fashion and outdoor clothing store brands: JD, Size?, Millets, Blacks, Scotts and MilletSport.

Exposed information includes a customer's name, billing address, delivery address, email address, phone number and order details. It also includes the last four digits of a customer's payment card. The company says it does not store full payment card data.

The company "has no reason to believe that account passwords were accessed."

Notification received by a customer on Jan. 30, 2023 (Image: ISMG; click to enlarge)

JD Sports is warning customers to be "on the lookout for any suspicious or unusual communications purporting to be from JD Sports or any of our group brands."

Based on notifications received by customers, the breach appears to affect individuals in the United Kingdom and multiple other countries.

"We are continuing with a full review of our cybersecurity in partnership with external specialists following this incident," said company Chief Financial Officer Neil Greenhalgh.

Across all of its different brands, JD Sports operates 3,402 stores in 32 territories, according to its 2022 annual report. The company's stores are predominantly located in the U.K., and are also in Ireland and other parts of the EU. JD Sports also operates stores in Asia-Pacific, the United States and Canada.

The company declined to comment on when the breach began, when it was detected and how, and where all affected customers reside.

JD Sports in its breach notification says it has notified Britain's Information Commissioner's Office, which enforces the U.K. General Data Protection Regulation. Under GDPR, once an organization believes it may have suffered a breach of personal data, it must alert a relevant authority within 72 hours.

One regulatory question to be answered about the JD Sports breach will be if the company was complying with GDPR's data minimization rules, given that some of the exposed data is now more than four years old. Under GDPR, any organization that collects or processes personal data must collect only as much as it needs - and is allowed - and delete the data in a timely manner.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.