One of the UK’s biggest fashion retailers suffered a cyber attack that leaked customer profile information. The odd element of the incident is that the stolen information is specifically from November 2018 to October 2020, but some 10 million records of customer data were apparently taken.
The cyber attack hit JD Sports and impacts a number of its subsidiary brands. The leaked customer data appears to come from online orders made during the period: names, addresses, phone numbers and so on. The last four digits of payment card numbers are also reportedly included, though the company says no complete payment information was leaked.
Customer data taken from one of UK’s fastest-growing retailers
JD Sports has been a major clothing retailer in the UK for decades, but has experienced particularly strong growth in recent years. The timing of the cyber attack roughly coincides with the period in which it began seeing major leaps in sales, though there is not yet any evidence indicating it was targeted for that reason.
While UK customers appear to be happy with the apparel, there will no doubt be some hard questions about how safely the company is handling customer data after this incident. The company has yet to disclose exactly how the breach happened, but the huge amount of records paired with a very specific time period points to some sort of unsecured internet-connected database as the most likely culprit.
The information stolen in the cyber attack is not enough to commit fraud on its own, but customers are likely looking at targeted phishing attempts to the exposed email addresses and phone numbers. JD Sports is not advising that any login credentials were stolen or that action is necessary at this time, but customers may want to change their password as a precaution.
Cyber attack hit range of JD Sports clothing brands
JD Sports retail outlets sell all types of fashion brands, but the company also has its own series of private labels. Some of these are the parties impacted by the cyber attack: Millets, MilletSport, Blacks, Scotts, Size? and JD. Reasonable speculation is that the stolen customer data came from some sort of database meant to store order information just for the specific JD-owned brands, for internal marketing or accounting purposes. The incident has raised some questions about how common it is for retailers to store order data that dates back nearly half a decade.
While JD Sports has yet to issue any updates on the cause of the cyber attack, at least one independent security researcher reported that they had found a misconfigured database that appeared to belong to the company. That report was posted by @0xyzqt and claims that the vulnerable internet-facing database was first detected in July 2022, and there did not appear to be any follow-up by JD Sports. The type of customer data reported to be leaking from this database also matches what was lost in the cyber attack.