Cyber Incident Victim: JD Sports Fashion Plc

JD Sports Fashion Plc disclosed a cyber incident on January 30, 2023, involving unauthorized access to a system storing historical customer data. The breach affected online orders placed between November 2018 and October 2020 across multiple group brands: JD, Size?, Millets, Blacks, Scotts, and MilletSport. Approximately 10 million unique customers had personal information exposed, including names, billing and delivery addresses, email addresses, phone numbers, order details, and the final four digits of payment cards. The company confirmed it did not store full payment card data and found no evidence that customer account passwords were compromised. JD Sports initiated an immediate investigation upon discovering the breach, collaborating with external cybersecurity specialists to assess the intrusion.

The organization notified the UK Information Commissioner's Office (ICO) and began proactively contacting affected customers to alert them about potential fraud and phishing risks. Communications emphasized vigilance against suspicious emails, calls, or texts impersonating JD Sports or its affiliated brands. Chief Financial Officer Neil Greenhalgh issued a public apology to impacted customers and confirmed an ongoing comprehensive review of the company's cybersecurity measures with external partners. JD Sports maintained that protecting customer data remained its highest priority throughout the response. The breach did not disrupt current operations, as the compromised system contained only historical order data from the specified 2018-2020 timeframe. No additional technical details about the attack vector, intrusion timeline, or threat actor were disclosed in the public statement.