JD Sports is contacting customers affected by a cyber attack that may have exposed their personal details.
The incident affected 10 million people who placed orders between November 2018 and October 2020.
Customer names, deliveries, bills, email addresses, phone numbers and the last four digits of bank cards could be exposed.
It includes people who shop on JD.com as well as the group’s Size, Millets, Blacks, Scotts and MilletSport brands.
The sportswear company believes account passwords were not accessed and assured those affected that their full payment card details were not taken.
However, they are warned to beware of scam emails, phone calls and text messages.
In an email to customers, JD Sports said: “We take the protection of customer data very seriously, and we apologize that this happened.”
JD.com “cooperates with internet experts”
The company said it was in contact with the UK’s Information Commissioner’s Office about the attack.
“We have immediately taken the necessary steps to investigate and respond to the incident, including working with leading cybersecurity experts,” the company added.
Neil Greenhalgh, chief financial officer of JD.com, said: “Following this incident, we will continue to conduct a comprehensive review of our network security, working with external experts.
“Protecting our customers’ data is an absolute priority for JD.”
What should customers pay attention to?
Scam emails, phone calls and text messages will be from fraudsters claiming to represent JD Sports or its other brands.
Matt Herr, global head of threat intelligence at cybersecurity firm NCC Group, told Sky News such communications “usually don’t go together very well”.
He suggested people should be on the lookout for “spelling mistakes, grammatical errors and odd formatting” as signs that emails and texts may not be authentic.
“They often try to trick individuals into clicking a link, visiting a website, downloading a file or providing more information than they expected,” he added.
Britain’s most popular password revealed
For JD.com, the top priority is figuring out how attackers got in and making sure they’re not on its network.
Companies concerned about cyberattacks must ensure they have strong password policies, allow their customers to use multi-factor authentication, and ensure their security systems are up to date.
Such information could also end up on criminal forums and marketplaces, Mr Hull warned.
“This type of data is extremely valuable,” he said.
“It can be sold and it can be repurposed for further criminal activity.”
JD’s attack came weeks later Royal Mail targeted Launched by a ransomware gang linked to Russia.
It left more than half a million packages and letters in trouble.
last year, National Cyber Security Center warns Cyber attacks are a “significant challenge to UK businesses and public services”.