Sad athlete

Up to 10 million people potentially impacted by JD Sports breach

We’re at the start of February, and news of breaches keeps on coming. In this case, though, while the news that 10 million JD Sports customers may have been impacted by a cyber attack has only just arrived, the data potentially accessed in that attack is already several years old.

The danger zone

If you made an online purchase from some of the companies that are owned by JD Sports between November 2018 and October 2020, your data may have been accessed by individuals who didn’t have permission to do so. JD Sports claims that the affected data was “limited” and did not include credit card details.

From the incident release:

The affected JD Sports group brands are JD, Size?, Millets, Blacks, Scotts, and MilletSport.

The affected data is limited. JD Sports does not hold full payment card data and, further, has no reason to believe that account passwords were accessed.

The information that may have been accessed consists of the name, billing address, delivery address, email address, phone number, order details and the final four digits of payment cards of approximately 10 million unique customers.

As we’ll see below, this data gives attackers a lot of wiggle room for deploying threats against the unwary.

A passing danger

JD Sports says people impacted by the breach are being contacted about it, and it is being investigated. While it’s great that payment data hasn’t been taken, what’s on offer could well be enough for hackers to launch a campaign of social engineering and/or phishing attacks. 

There’s a lot you can do with an email/delivery address/phone number combination where stolen data is concerned. You should be on your guard for rogue phone calls, bogus emails, dubious letters through the post, and potentially all three.

This kind of diligence can quickly become exhausting, which might mean you’ll become a bit more lax, and so a few months pass by and you forget all about this…which (if you’re unlucky) is just about the time the scammer decides to strike.

Verify any outreach

If you’ve been caught up in this one, you should expect some form of communication from JD Sports in the very near future. There’s no word as to how this is supposed to happen, which means it could even be used as bait by a scammer. Unlikely, but not impossible.

If you are contacted, you should obtain official contact details directly from the JD Sports website. You can confirm the legitimacy of the outreach and whatever contact details are given for you to make use of.

Pay close attention to texts, emails, or other messaging in relation to refunds, missing payments, or deliveries in transit. Double check with your bank account, order history, and anything else you need to check to confirm the legitimacy of messages you receive. Fake parcels and deliveries, in particular, are wonderfully sneaky scam tactics and very successful.

Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.