U.K. retailer JD Sports Fashion plc has been hacked, with data belonging to about 10 million customers believed to have been stolen.

In a statement today, the company described the issue as a cyber incident that resulted in authorized access to a system containing customer data on some online orders placed between November 2018 and October 2020. JD Sports brands affected included JD, Size?, Millets, Blacks, Scotts and MilletSport.

The stolen data included name, billing address, delivery address, email address, phone number, order details and the final four digits of payment cards. The company noted that it does not hold full payment card data and has no reason to believe that account passwords were affected.

JD Sports ticked off the standard response list to a hack: hiring cybersecurity experts, contacting affected customers and engaging with authorities, including the U.K.’s Information Commissioner’s Officer. Notably, the company has not offered any credit monitoring or identity theft service to affected customers and is instead telling customers to be careful.

“We want to apologize to those customers who may have been affected by this incident,” Neil Greenhalgh, chief financial officer of JD Sports, said in the statement. “We are advising them to be vigilant about potential scam e-mails, calls and texts and providing details on how to report these.”

How the data was stolen was not disclosed. Greenhalgh added that the company is continuing with a full review into its cybersecurity and that “protecting the data of our customers is an absolute priority.”

With JD Sports not revealing the hack method, speculation is already rife, with an exposed cloud instance the chief suspect.

“Often in situations like this, the headline will read something like ‘Hacker Exposes millions of users’ personal and sensitive data,’ yet rarely does the headline read ‘Misconfiguration of company datastore leads to data being copied and pasted,’” Chris Denbigh-White, security strategist at data loss prevention firm Next DLP, told SiliconANGLE.

Denbigh-White points to a tweet from security researcher @0xyzqt in December that revealed a JD Sports database containing customer information was identified as exposed directly to the internet as early as July 2022.

JD Sports: data from 1.5 million users leaked
The incident happened back in July, but the @JDSports concealed information about the leak #JDSports #dataleak #cybersecurity pic.twitter.com/kx5NUJn2yB

— Security Researcher (@0xyzqt) December 7, 2022

“Databases that are directly exposed to the internet are not difficult to find,” Denbigh-White explained. “This incident highlights the critical importance of robust database security measures and the consequences when these measures fail (or are absent), including data breaches and unauthorized access to sensitive information.”

Javvad Malik, security awareness advocate at security awareness training company KnowBe4 Inc., warned that JD Sports users should also be mindful of any emails or messages they receive which may claim to be from JD Sports.

“Criminals are always looking to piece together information from breaches to create convincing and authentic phishing scams,” Malik added. “If anyone receives such emails, they should not respond and rather seek to verify the authenticity directly with the company.”

Photo: Samuel Wiki/Wikimedia Commons