UK sportswear retailer JD Sports is warning some 10 million of its customers that their personal data — including name, billing address, delivery address, email address, phone number, order details, and last four payment card digits — might have been exposed in a recent cyberattack.

Affected customers placed online orders with JD Sports between November 2018 and October 2020 for items branded JD Sports, Size?, Millets, Blacks, Scotts, and MilletSport, the company said in a statement.

JD Sports said while it cannot definitively say whether the data was accessed, the system holding the data was, so as a precaution, JD Sports is notifying and advising impacted customers to remain on the lookout for social engineering scams.

JD Sports does not store full payment card details, the retailer said, and there is no evidence that account passwords were compromised.

"We want to apologize to those customers who may have been affected by this incident," Neil Greenhalgh, JD sports chief financial officer said in the cyber-incident disclosure. "We are advising them to be vigilant about potential scam emails, calls, and texts and [are] providing details on how to report these. We are continuing with a full review of our cybersecurity in partnership with external specialists following this incident. Protecting the data of our customers is an absolute priority for JD."

Stolen Data Could Fuel Follow-on Cyberattacks

While disclosure is the right thing to do for the retailer, notes Lior Yaari, CEO of Grip Security, letting the public as well as potential threat actors know about the breach without first resetting account credentials might in itself attract the wrong kind of attention.

"Retailers should approach a breach of customer data similar to an internal breach of employees — requiring every customer to reset their account credentials," Yaari said in a statement provided to Dark Reading. "The official announcement from JD Sports and the news coverage sets the stage for the hackers to start sending out password reset phishing emails to the 10 million customers to harvest their credentials."

Yaari predicts additional attacks will be fueled by this breach.

In fact, companies like JD Sports should avoid downplaying the significance of a compromise of customer data, according to Chris Denbigh-White, security strategist at data protection firm Next DLP.

"In JD Sports' press release, the company took great steps to reassure customers that the extent of potentially compromised information was 'limited,'" Denbigh-White explained in a statement provided to Dark Reading. "To a consumer, this exposure of personal information, which cannot be changed, is not a trivial matter and is likely to lead to further phishing and fraud attempts."