The sportswear retailer can expect fines in the realm of £17.5m or 4% of annual turnover, says law firm partner 

Sportswear retail chain JD Sports has been hit by a cyber attack that targeted the data of 10m of its customers.

According to a statement, the incident affected customers who placed orders with the retailer between November 2018 and October 2020 including – customers that shopped at JD Group brands such as Size, Millets, Blacks, Scotts and MillerSport.

The retailer said it would contact customers directly if their data was at risk, but that “affected data is limited”. 

It added that it “does not hold full payment card data and further has no reason to believe that account passwords were accessed. 

Neil Greenhalgh, chief financial officer of JD Sports, added: “We want to apologise to those customers who may have been affected by this incident. We are advising them to be vigilant about potential scam emails, calls and texts and providing details on how to report these.

”We are continuing with a full review of our cyber security in partnership with external specialists following this incident. Protecting the data of our customers is an absolute priority for JD.”

The attack on JD Sports follows Royal Mail being targeted by a ransomware attack in mid-January this year.

Implications 

Speaking about the implications of the attack, Jonathan Compton, partner at city law firm DMH Stallard, said: “The aggravating factors here are the numbers involved, the personal data accessed and the length of time since the infringement.

“JD Sports can expect fines up to the higher maximum permitted under part six of the Data Protection Act 2018.

“The higher maximum amount is £17.5m or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.”

Consumer group Which? additionally warned that customers whose data was compromised should “keep a close eye on bank accounts and credit reports over the next few months”.

A statement from JD Sports said: ”The information that may have been accessed consists of the name, billing address, delivery address, email address, phone number, order details and the final four digits of payment cards of approximately 10 million unique customers.

”We have taken the necessary immediate steps to investigate and respond to the incident, including working with leading cyber security experts. We are engaging with the relevant authorities, including the UK’s Information Commissioner’s Office (ICO), as necessary.

”We are proactively contacting affected customers so that we can advise them to be vigilant to the risk of fraud and phishing attacks. This includes being on the look out for any suspicious or unusual communications purporting to be from JD Sports or any of our group brands.”

In an email to customers, the sportswear retailer said: “We take the protection of customer data extremely seriously and we are sorry this has happened.”