JD Sports has warned customers that bought items on its website, as well as those of Size?, Blacks and Millets, between November 2018 and October 2020 may have been impacted in the breach.
The company has urged customers to be wary of potential phishing emails, calls and texts in the aftermath of the breach, while claiming they were proactively contacting those whose details were confirmed to be stolen. Paul Bischoff, Consumer Privacy Advocate at Comparitech echoed this sentiment, warning that “customers of JD and its affiliated brands should be on the lookout for targeted phishing messages from JD or a related company. These emails will attempt to get victims to click on a link or malicious attachment. The links might go imitation login pages where victims are tricked into handing over their passwords or payment info. Never click on links or attachments in unsolicited messages!”
While it is not believed that passwords or full payment card data was exposed, JD Sports has admitted that cybercriminals may have gained access to the final four digits of customers’ payment cards.
Neil Greenhalgh, CFO at JD Sports, apologised to affected customers and confirmed that the company is working to mitigate damages. “We are continuing with a full review of our cyber security in partnership with external specialists following this incident. Protecting the data of our customers is an absolute priority for JD,” he said.
A spokesperson for the Information Commissioner’s Office later confirmed it was working with the retailer to get to the bottom of the breach. “We have been made aware of a cyber incident involving the retailer JD Sports and we are assessing the information provided,” they said.
The breach comes amidst a spate of high-profile cyberattacks in recent weeks, including on the UK newspaper The Guardian and email marketing service Mailchimp. Jamie Akhtar, CEO and co-founder of CyberSmart, notes that “JD Sports is the latest British household name to fall prey to a cyber attack. And this really fits the trend we’re seeing; the current economic downturn has led to cybercriminals redoubling their efforts to steal potentially valuable personal data.”
Aside from economic downturn, some experts have cited a fluctuating technology landscape as key factor in these high-profile cyberattacks.
“The JD Sports cyber incident is a reminder for all organisations that globally we can expect an increase in breaches due to our digital dependence, especially as businesses recover from the COVID technology shifts, and continuing threat shifts. Sadly, whilst companies spent years solidifying their capabilities for GDPR, in the last couple of years data has become far more fragmented by quick shifts to the cloud,” said Greg Day, SVP and Global CISO at Cybereason.
Erfan Shadabi, Cybersecurity Expert at comforte AG, argued that cyberattacks on large retail and e-commerce businesses should come as no surprise, considering the enormous amount of sensitive personal data (PII) about existing and prospective customers, as well as their dependence on transactions to drive their business forward. “Retailers and e-commerce organizations must absolutely assume that their environment is currently under attack and protect this sensitive data accordingly. Businesses in these sectors need to apply data-centric protection to any sensitive data within their ecosystem (PII, financial, and transactional) as soon as it enters the environment and keep it protected even as employees work with that data. By tokenizing any PII or transactional data, they can strongly protect that information while preserving the original data format, making it easier for business applications to support tokenized data within their workflows,” he said.
Darren Guccione, CEO and co-founder at Keeper Security added some advice for concerned customers:
“Even in cases where customer data is stolen but their passwords are not, the threat to their passwords and other sensitive information from the data breach remains. Bad actors sell this valuable information on the dark web and in this instance, will often compare the JD Sports customer information to information from data breaches at other organisations that did compromise passwords or use the information for a targeted phishing attack. In phishing attacks, bad actors often tailor scams using aesthetic-based tactics such as realistic-looking email templates and malicious websites. The aesthetics users recognise, such as the logo or colour scheme of the site, are used to lure them into a malicious link or form field. The key to avoiding falling victim to this type of attack is to ensure users check that the URL matches the authentic website. In any case, emails containing links must always be subject to greater awareness and vigilance. A password manager that can automatically identify when a site’s URL doesn’t match is a critical tool for preventing the most common password-related attacks, including phishing.
“Even though JD Sports says passwords were not part of the stolen information, their customers should immediately update their passwords to be unique from any other passwords they’ve used in the past while ensuring each new password or passphrase is strong with uppercase and lowercase letters, numbers, and symbols. Passwords should also be paired with a strong MFA option as an added layer of security in the event their password is discovered.”
Debrup Ghosh, senior product manager at the Synopsys Software Integrity Group, emphasized that every business is ultimately a software business, saying “As Marc Andreessen said over a decade ago, “software is eating the world.” Now that software continues to consume and automate many areas of our personal and professional lives, we must also consider that cyberattacks are now eating software. Every modern company across all industry verticals that either builds or utilizes software is vulnerable to cyberattack. Personal information that is often the central focus of cyber theft can be leveraged for identity theft, and financial fraud, among others.
“At this point, the root cause for the JD Sports breach isn’t yet publicly available. However, this breach underscores that companies of all shapes and sizes need to take measures to protect the personally identifiable information of their customers.
“At a minimum, consumers who believe they may have been impacted should consider changing their password and not re-use that password for more than one service. Organizations should implement defense mechanisms such as extended detection and response, advanced encryption, security audits, vulnerability testing, and employee training at a minimum to protect against external threats. Additionally, Boards of Directors for organizations can also impact positive change by mandating more comprehensive cybersecurity practices to ensure that the organization is doing as much as possible to maintain trust in their software, so customers maintain trust in the brand.”
Jamie Cameron, security consultant at Adarma, concluded “JD sports customers should change their passwords for their JD Sports account and any site that they use the same email password combination on to prevent credential stuffing attacks. They should also keep an eye out for any unusual card transactions. Customers should be especially vigilant against phishing attacks. If the hackers have compromised the email addresses and phone numbers of JD Sports’ customer base, attackers might leverage those details to specifically target those customers. They should also be aware that hackers may target them by impersonating partner companies of JD Sports, for example attackers might assume you buy from Sports Direct if you’re a customer of JD Sports.”