JD Sports is contacting customers who have been affected by a cyber attack that may have exposed their personal details.
The incident impacted 10 million people who placed orders between November 2018 and October 2020.
Customer names, delivery, billing and email addresses, phone numbers, and the last four digits of bank cards were potentially exposed.
It includes people who shopped at JD as well as the group’s Size, Millets, Blacks, Scotts, and MilletSport brands.
The sportswear company does not believe account passwords were accessed, and has assured people affected that their full payment card details were not held.
However, they are being warned to watch out for scam emails, calls, and texts.
In an email to customers, JD Sports said: “We take the protection of customer data extremely seriously and we are sorry this has happened.”
Schoolgirl’s hi-tech backpack designed to tackle airborne diseases
‘Google it’ no more? How AI could change the way we search the web
Giving children chickenpox vaccine ‘could end risky pox parties’
JD ‘working with cyber experts’
The company has said it is engaging with the UK’s Information Commissioner’s Office about the attack.
“We have taken the necessary immediate steps to investigate and respond to the incident, including working with leading cyber security experts,” the firm added.
Neil Greenhalgh, chief financial officer of JD, said: “We are continuing with a full review of our cyber security in partnership with external specialists following this incident.
“Protecting the data of our customers is an absolute priority for JD.”
What should customers be aware of?
Scam emails, calls, and texts will come from fraudsters purporting to represent JD Sports or its other brands.
Matt Hull, global head of threat intelligence at cyber security company NCC Group, told Sky News such communications are “generally not well put together”.
He advised that people should watch out for “things being misspelled, poor grammar, and odd formatting” as telltale signs that emails and texts might not be genuine.
“Quite often they will try to induce the individual to follow a link, go to a website, download a document, or provide more information that they would not expect,” he added.
Read more:
UK’s most popular passwords revealed
For JD, the priority will be working out how the attackers got in and ensure they are not still in its network.
Companies worried about cyber attacks must make sure they have strong password policies in place, allow their customers to use multifactor authentication, and ensure their security systems are up-to-date.
Information of this type is also liable to ending up on criminal forums and marketplaces, Mr Hull warned.
“This type of data is really valuable,” he said.
“It can be sold, it can be reused for further criminal activity.”
The attack at JD comes just a few weeks after Royal Mail was targeted by a ransomware gang linked to Russia.
It left more than half a million parcels and letters stuck in limbo.
Last year, the National Cyber Security Centre warned cyber attacks were a “major challenge to businesses and public services in the UK”.