UK’s JD Sports data breach compromises 10 million users

Contacting affected customers may take a while.
31 January 2023

So much for cybersecurity. Protect your historical data too.

Getting your Trinity Audio player ready...

When people think of a data breach in 2023, they tend to imagine the data that’s attacked will be modern, up-to-date, and potentially of immediate use to the cybercriminals. But British sportswear retailers, JD Sports, has just amply demonstrated the need for a robust cybersecurity policy that deals with historic data too. A cyberattack on the chain’s systems has potentially compromised the data of 10 million customers who bought from it between 2018-2020.

The 10 million customer breach.

The company, which is contacting affected customers, but which might understandably take a while to get around all 10 million, said the data that had been accessed could include its customers’ names, addresses, email addresses, phone numbers, order details and the final four digits of their bank cards.

While apologising to its compromised customers, the company also said it believed the data that had been affected was “limited” – the last four digits of card numbers, rather than the whole card numbers.

The type of data involved still allows significant potential activity by cybercriminals though.

JD Sports, which also owns several subsidiary brands, said it was working with both “leading cyber-security experts” and the UK’s Information Commissioner’s Office (ICO) to minimize the impact of its extensive data breach, while insisting that “Protecting the data of our customers is an absolute priority for JD Sports.”

Several cybersecurity experts almost immediately contacted Tech HQ to take some issue with the use of the phrase “absolute priority” in this case.

Absolute priority.

Muhammad Yahya Patel, Security Engineer at Check Point Software, said:

“In this case we see historic data has been affected, which raises questions regarding the volume of information being stored and what security is being implemented around it. As consumers, we trust retailers to secure our sensitive details. A breach of this size, or indeed any size, erodes that trust, which can be hard to recover.

“Transparent reporting is critical. Without all the information, it’s impossible to learn and improve security measures at a macro level.”

Meanwhile, Darren Guccione, the CEO of Keeper Security, explained that incomplete data could still be considered an effective haul.

“Even in cases where customer data is stolen but their passwords are not, the threat to their passwords and other sensitive information from the data breach remains. Bad actors sell this valuable information on the dark web and in this instance, will often compare the JD Sports customer information to information from data breaches at other organizations that did compromise passwords or use the information for a targeted phishing attack.

“In phishing attacks, bad actors often tailor scams using aesthetic-based tactics such as realistic-looking email templates and malicious websites. The aesthetics users recognize, such as the logo or color scheme of the site, are used to lure them into a malicious link or form field. The key to avoiding falling victim to this type of attack is to ensure users check that the URL matches the authentic website. In any case, emails containing links must always be subject to greater awareness and vigilance.  A password manager that can automatically identify when a site’s URL doesn’t match is a critical tool for preventing the most common password-related attacks, including phishing.

“Even though JD Sports says passwords were not part of the stolen information, its customers should immediately update their passwords to be unique from any other passwords they’ve used in the past, while ensuring each new password or passphrase is strong, with uppercase and lowercase letters, numbers, and symbols. Passwords should also be paired with a strong MFA option as an added layer of security in the event their password is discovered.”

Be on your guard.

That was advice echoed by JD Sports’ Chief Financial Officer, Neil Greenhalgh, who acknowledged that even with the “incomplete” dataset being compromised, affected customers – or anyone who thought they might be affected, ahead of having it confirmed by the company – should be “vigilant about potential scam emails, calls and texts.”

That will be of little comfort to the potential 10 million customers – especially as they now know the company is actively trying to get in touch with them. In a supreme irony, the ground has been laid for a perfect scenario in which cybercriminals with some of the customers’ private data – email address, name, home address, last four digits of a card, say – could actively communicate with the customers in an attempt to make them give up some crucial other elements of their data, while pretending to be a representative of JD Sports, advising of the breach of their data.

That’s a second-wave threat acknowledged by Vonny Gamot, Head of EMEA at McAfee. “Unfortunately, the data of over 10 million customers may now be at risk. A high-profile attack like this is often followed by cybercriminals launching further rounds of phishing attacks, usually via email or SMS, that direct people to bogus sites designed to steal more personal or financial information. Always double check the sender looks legitimate and watch out for any spelling or grammar errors.”

The potential outcome for JD Sports.

Meanwhile, for not being “sufficiently” protective of its customers’ private historical data, JD Sports may feel the scourging effect of the law.

Jonathan Compton, a leading legal expert on data protection from London law firm DMH Stallard, outlined how serious that could be for the compromised business.

“The aggravating factors here are the numbers involved, the personal data accessed, and the length of time since the infringement.

“JD Sports can expect fines up to the higher maximum permitted under Part 6 of the Data Protection Act 2018.

“The higher maximum amount is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.”


This just in: historic user data is valuable too – companies need to protect it all from compromise, not just the most recent data generated.

How is your company’s historic data safety profile?