Article Written By: Davey Winder
JD Sports, the high street sports fashion retail giant, has confirmed that it was targeted in a successful cyber-attack that has resulted in unauthorized access to customer data. How much data? A JD Sports Fashion Plc spokesperson told me the number could be “approximately 10 million unique customers.” Here’s what we know so far.
In an email to customers, seen by this reporter, the JD Sports Group has confirmed that a security incident, which may impact as many as 10 million customers, gave attackers access to data including “full name, delivery and billing address(es), email address, phone number, final 4 digits (only) of payment card and/or order details.”
According to the email, the data is from a database containing orders placed between November 2018 and October 2020
In a statement emailed to me by a JD Sports Fashion Plc spokesperson, the organization confirmed that the affected JD Sports group brands are “JD, Size?, Millets, Blacks, Scotts and MilletSport.” The statement also added that JD Sports do not hold full payment card details, and the company “has no reason to believe that account passwords were accessed.”
“We want to apologize to those customers who may have been affected by this incident,” Neil Greenhalgh, the chief financial officer of JD Sports, said, adding that advice is being sent for them to be vigilant regarding scam emails, calls, and texts. While a full security review is continuing, including help from external specialists, Greenhalgh somewhat predictably said, “protecting the data of our customers is an absolute priority for JD.”
John Davis, the U.K. and Ireland director at the SANS Institute, says, “cybercriminals are levelling up. Their attacks are more prevalent, more sophisticated, and harder to detect. Brand reputations and relationships with customers are on the line. Customers will reward businesses who can persuade them they are best equipped to manage their data. The golden rule to remember is that prevention is always better than cure. Power comes through knowledge about how cyberattacks could happen and flagging them to the UK’s national reporting centre for fraud and cybercrime.”
Obviously, being a cybersecurity specialist, I would advise all customers of any of those brands to change their passwords as soon as possible, regardless.
“We want to apologize to those customers who may have been affected by this incident,” Neil Greenhalgh, the chief financial officer of JD Sports, said, adding that advice is being sent for them to be vigilant regarding scam emails, calls, and texts. While a full security review is continuing, including help from external specialists, Greenhalgh somewhat predictably said, “protecting the data of our customers is an absolute priority for JD.”
John Davis, the U.K. and Ireland director at the SANS Institute, says, “cybercriminals are levelling up. Their attacks are more prevalent, more sophisticated, and harder to detect. Brand reputations and relationships with customers are on the line. Customers will reward businesses who can persuade them they are best equipped to manage their data. The golden rule to remember is that prevention is always better than cure. Power comes through knowledge about how cyberattacks could happen and flagging them to the UK’s national reporting centre for fraud and cybercrime.”
Meanwhile, Javvad Mailk, lead security awareness advocate at KnowBe4, advises users to “be mindful of any emails or messages they receive which may claim to be from JD Group. Criminals are always looking to piece together information from breaches to create convincing and authentic phishing scams. If anyone receives such emails, they should not respond and rather seek to verify the authenticity directly with the company.”
The incident disclosure email sent to customers informed those wishing to report any suspicious activity should do so by contacting Action Fraud, the national fraud and cybercrime reporting center for the U.K. “If you would like to contact us about this matter, you can email us at [email protected]” the email concluded.
One of the strange things about this data breach is the timeframe of the database in question, covering online sales for a two-year period ending in 2020. “In this case, we see historic data has been affected, which raises questions regarding the volume of information being stored and what security is being implemented around it,” Muhammad Yahya Patel, a security engineer at Check Point Software, said. “As consumers, we trust retailers to secure our sensitive details. A breach of this size, or indeed any size, erodes that trust, which can be hard to recover,” Patel continued.
Camellia Chan, the CEO at X-PHY, added that while it’s good that remediation is ongoing, “containment is never the preferred route when dealing with the data of customers.” Obviously, a robust incident response plan is necessary, “but organizations should prioritize preventing such incidents in the first place,” Chan says. “How? By accepting that we must reduce human intervention in our cybersecurity approaches to avoid internal leaks and weak spots while integrating proactive cybersecurity defenses all the way from the hardware level to the external layers to build an ironclad defense.”
Source: Forbes By: Davey Winder