JD Sports Retailer Suffer Cyber Attack

Lewis Fairburn

Marketing Manager

Lewis is the Marketing Manager here at Pentest People. Handling our brand identity, event planning and all promotional aspects of the business.


JD Sports Sportswear Retailer have suffered a cyber attack that exposed the data of 10 million customers accessed by backers in the attack. The personal data which was exposed includes customer’s names, email addresses, contact details and passwords.

What Happened?

The attack is believed to have been caused by a malicious actor that gained access to the retailer’s IT systems. The company has said that no financial information was compromised in the attack and it is working with authorities to investigate further. JD have now said that they are taking steps to strengthen their security measures to prevent another attack from happening.

What Does This Highlight Going Forward?

The incident highlights the need for companies of all sizes to be vigilant when it comes to data security. It is also worth noting that cyber attacks have become increasingly sophisticated over time and can target any business regardless of its size or sector. Companies should ensure they have robust cyber security measures in place and are regularly updating them to stay ahead of any potential threats.


The data breach at JD Sports enhances the importance of having your cyber security measures securely in place. It is essential for all businesses to protect their customers’ personal information and ensure they are taking steps to prevent cyber attacks from occurring. Here at Pentest People, we are actively identifying and eliminating vulnerabilities in your systems to secure your networks from real life hackers. Learn more about our Penetration Testing Services here.

Video/Audio Transcript

Today's headlines on Pentas people's tech back, sportswear retailer JD sports said it was the victim of a cyber attack that exposed the data of 10 million customers assessed by hackers in a cyber attack. The retailer has notified the Information Commissioner's Office about the security breach, said it was contacting affected customers wanting them to be aware of potential scams. I'm joined today with our consultants, Chris, Chris, it's your first time on a tech fight. It is yeah. Thanks for coming on. And Louis Graham, thanks for coming on today's Tech fight again, Louis. Thank you happy to be here. So what can you both tell us about this JD cyber attack.

So about it looks at things with the JD cyber attack essentially, at large amount of customer personal identifiable information was, was managed to be recovered by malicious attack. You know, these information included people's names, partial sections of payment information, and just other identifiers that could be used yet again, in cases of potential identity fraud and other such thing, you know, the kind of information that will lead to some fun finds to do with GDPR, etc,talking about identity theft, and can you explain to our tech listeners a bit more about identity theft.
So it could lead to stuff like potentially people doing stuff such as you know, either trying to acquire stuff, like your own bank funds that could sign up for services and stuff like that in your name? You know, there's a lot of different things I can happen with it. But yeah, there's, there's all sorts of things like, you know, signing up for services, and if people can maybe even like, try and go down the route of potentially getting like loans or credit in your name, but then it all goes today in mobile phone contracts, you know, it's a lot of different things that people can do. And usually it's, you know, it's it's low level scammers that kind of really try and do them most with identity fraud kinds of stuff, I guess all depends, doesn't it? On what information as you go, Oh, yeah, it's down to what information you've actually acquired how they themselves can figure out how to utilise your information to then benefit themselves, at least for a short while until they get caught?

What advice do you both have for people that have had their data leaked.

So in terms of anyone who's out there daily tip, it is a case of the have information out and about, you know, I would heavily suggest things such as passwords are changed, trying to limit the amount of data that you are sharing on the internet itself. Me personally, you know, on social media accounts, it literally just has my initials, it doesn't even have my full name on there. I try and hide as much personally identifiable information that's out there about myself. And is, you know, having, we live in a social media age. So it's a case of you know, it is hard to hide your online presence to keep up with friends and family. So, you know, reducing your information to a tiny footprint is probably a good idea. And just generally just avoiding things such as third party marketing cookies, and all the other trackers and available things out there. Because all that does is you know, you give it up, you're essentially giving up parts of your privacy, to marketing and advertising and stuff like that, which obviously becomes quite a nuisance in the modern age as well.

Definitely agree with you there, Chris. Everyone should be careful what information they make public. Louis, are there any comments you would like to add? Yes. So again, it depends on what type of data has been leaked. And if you've been made aware of the data that's been leaked. So for example, this is the JD, and this league, there's no passwords have been leaked, apparently. So it's more, more losing their email, their phone numbers, and everything can really lead to sort of primarily phishing attacks and phishing. This is more, not necessarily somebody can do unless they really want to go about changing their phone number and email, but maybe having correct spam filters on emails can help you with phishing attacks, as well as just generally being more knowledgeable in sort of the whole sort of fishing aspect. Really, would you say two factor authentication is is a good one as well to have? Yes, I mean, you should always have two factor authentication in my walk. I think that's just an added layer on top of the fishing. I think that helps if you've been if you've been exploited by a phishing attack. That's when multi factor authentication will help you Yeah, so as well just add a little extra point. So yeah, even, even in cases where, you know, myself, I'm signed up to a service where, if any of my personally identifiable information has been discovered as part of a breach, I get email alerts of this. And then it's a case of, I have multifactor authentication activated on every single online account that I manage myself that I'm aware of. There's also the terms of GDPR, which essentially being able to sign up to a service, it should also be just as easy to remove your information from that service. And that was the entire point of GDPR. In the case of where you sign up, and say, if you do have a lot of service emails and stuff that comes through, you should be able to just send an email to that company and say, I want you to remove my information, I don't want to use it for marketing or advertising purposes, I don't want to give it to any third parties. And they have to abide by that and reply within a reasonable time. But in the case of if you have been breached, if you already have that to fit in place, or you don't get the to have it in place, because even if you passwords get breached, they're still missing that additional security method to get into your accounts.

There's there's a lot of times you don't even know that you've actually been a part of a security breach. A good example of this is dark invader. Fantastic, you know, they have fantastic tools where they can basically find a date on the dark web, and you'll be surprised what you can pull out with them what you've seen, it's kind of like scary, exactly. I think a lot of people, especially those who don't work within the security industry itself, don't understand that there is the fact is that the moment you've released your personal information to accompany, there is always the chance that someone else is going to get a hold of that information. So you always need to be wary with what you are providing to companies, how many services you are actually signing up for stuff I like, you know, even if you see these like little fun applets and stuff for social media sites, where it's kind of like, Hey, we're going to put a filter on your office, please sign up for our service, and then we'll convert your photo, these are overwrite. These are other issues where you don't know how many steps they're taking to actually gain a lot more of your information. And then you're also putting a face to your information as well. And then that could be in another database that don't get breached. And the whole cycle continues. So reducing services that you think might be a bit fishy, even though the phone at the time, it could lead to a position where you have been a victim of identity fraud because of this.

And I mean up to speed speaking earlier on about a friend of mine whose Instagram nearly got hacked, as they sent her a message saying someone tried to sign in into into her or her account, but she didn't have to she didn't have two factor authentication. I think it's always important for people for people's passwords to have a mixture of numbers mixture of symbols. So it's hard for hackers to try and guess the passwords.
Yeah, of course. So generally, you know, there's there's the whole kind of good practices, the five random words or a password, that one's always great, using combinations of numbers and letters. But yeah, you know, just just making sure that passwords are as random as possible, you know, nothing, nothing that relates back to yourself. And then so yeah, in terms of the passwords, so passwords and multi factor authentication, they go hand in hand, while it is a good idea to set strong passwords using you know, a lot of randomness and, you know, even a combination of maybe three to five words, numbers, letters, symbols, but you always need that MFA on top in order to protect yourself. So as long as you're getting something like a token, or an email or a code that you need to enter alongside it, then at least whoever's potentially going to hack into an account. As long as they don't have access to your authentication methods that are outside of a password, well, then they're going to really struggle to get in.
Yeah, can you give our tech that listener some key examples of keeping their data safe?
password managers is a good one. Definitely reading what you're signing up to. One of the main ones I always tell people is whenever you sign up for a new service, always make sure the tick boxes that you're taking are actually read because quite a lot of the times you'll see it where it is a combination of Have you read our terms and conditions and agree to this but under the always that extra tick box just below it, which is we may provide your data to third parties. Are you okay with this? The moment you click yes, on that one, you have no idea where your data is going because you don't know why partners are and it can be quite difficult to find out even from the company themselves, who is going to gain access to that information and for what you Since they're gonna have me and you Lewis mentioned, password managers. In our last podcast we did we mentioned was it one password, one passwords are great to LastPass is a great to even for the older generation in terms of password managers, even if it's a case of you know, those who aren't as clued up. And I know, this even might sound contradictory, contradictory to quite a lot of best practices that we would just apply to clients and stuff like that. But in terms of personal use, and stuff like that, I'd say don't save your passwords to an actual device on your browser. You know, if you're using any form of syncing and stuff like that, and to actually have a consistent profile across all accounts, I tell older members of my family, you know, if you're going to have passwords, have a nice little notebook, hide them in there somewhere. And then just make sure it was kept in a drawer and not out in, you know, out in the open, just keep it hidden aware. Only, you know, which kind of notebook you've got that might have some hidden passwords in it. But it's just to make sure that people aren't forgetting them as well. And with the older generation, we do always have to kind of think of solutions that work for them as well, those who are not, you know, as tech literate as the younger generations.

Why is it now that online retail is getting vulnerable? And what can be done about this, as there has been a shocking rise in the number of cyber attacks perpetrated against online retailers in the past year. Yes. So it's not only just retail, so we've seen a massive spike and especially ransomware, in sort of the past, honestly, the past month, to be honest. So we've had food chains, as well, the Royal Mail that we'd spoke about last week. I think the retail market is evergreen, right? I think it's big, I think physically shopping is becoming more obsolete, I think retail is just retail online, retail is just becoming even better. So I think it's just a thriving place for someone for a hacker to try and
retrieve details from Yeah, I think, I think the retail market itself gets heavily attacked purely because of the massive amounts of debt that they will actually be holding. And the more and more debt a company is holding, the more and more you know, it can start to creep and become a lot harder to manage and keep secure. So in terms of online retailers, especially with JD, and the subsidiaries of GE, JD, that were attacked, you know, there's, there's companies such as size in there as well, I believe, and I believe there's forgotten a couple of the groups in there. But you know, there are some high level retailers in that I do see a lot of footfall, and each one of these retailers, when you go to their websites, now they're offering either guest checkout, or those make it easy for you, we'll save your payment details, we'll make an account for you. And this is where, you know, even though they're offering that service, these retailers do need to look into ways to keep in that there are a lot more secure. And even so I don't believe a lot of retailers will be offering things such as multi factor authentication, because they just see it as like a quick checkout functionality.
So we're not actually sure, well, it hasn't been released yet to what they were vulnerable to security wise. So we're not actually sure if it was fishing or something,

it was just described in the articles as malware in a very kind of rudimentary way about so until he's kind of released, we will be to show how it was that they got breached.

Just something they need to, I guess work on, isn't it sort of making sure everything's secure?
Yeah. So in terms of like, operational and technical procedures, and stuff like that, you know, making sure they've got good panel, patch management, making sure that they're GDPR compliant, making sure in house you know, that they've got good managerial procedures as well, you know, locking screens as a bare minimum is one that goes on past in most office purchases, do you think
it's like something to do with more like a, like, they don't want to spend money on sort of these sorts of services and making sure everything's locked up? Or do you think it's more just a competency issue where they just don't think that it would be a problem
quite a lot of the time, it seems to be a 5050 case of competency versus cost, and is quite a lot of the time. You know, and I never want to die with the ability of teams of people that are out there work in a similar industry towards but unfortunately, when something like this happens, you do have to one unfortunately, you've got to question the competence, and how things have been handled and what kind of management procedures are in place to handle these things in future, and what kind of disaster recovery procedures are now going to happen in order to reduce this and what they're going to do moving forward which to stop it happening again.

I think it's it's Hindsight is a wonderful thing, isn't it? Yeah. thing is, I think, I think at first glance, right, if you haven't been hacked like this before, you probably wouldn't think much of it, but I'm sure we're going to probably after this be very uptight with this.
So someone such as myself who's worked, you know, both on the red TV side of things, and working as a network security officer, you know, it is one of those kinds of things where, for us, guys, obviously, we see every vulnerability working doing red team work, but then when it comes to the actual defensive side of things, you know, there's always that red tape around being able to achieve the levels of security that you want to achieve. So that's where the costing comes in more than anything, but also the the size of workloads to incorporate decent patch management cycles, and, you know, make sure man says kept up with our thoughts are dealing with day to day queries. So here's one of those kinds of things where a lot of there is a lot of creep to the workload. And unfortunately, the these big blunders eventually come out. At the end of the day,
who should be seen more of as an investment? To be honest, I think, what you put into it, you know, the amount of X amount of money that you put into it, yes, definitely, you're going to lose weight less than if you were hacked, like JD, for example. Yeah. And
even with social things, such as the cyber insurance marketplace at the moment now. So back when cyber insurance was originally kind of introduced as a, as a feature that like companies could sign in for from my insurance providers. We're now actually at the point where these breaches that are occurring, you know, almost weekly now, are causing even the premiums to go up that massive later, these are actually cheaper for companies to just invest correctly. Instead of paying for cyber insurance.

I think it's not only just monetary value that they're losing. I think it's all in reputation, reputation. customer trust,
is a massive one reputation always is the main thing that comes before them, or is the reputation that will affect them in the long run.
And especially because now retail like online, retail is massive compared to physically shopping yourself. I, you know, I think someone's going to second guess about now shopping. JD? Definitely, what do you think the future looks like for JDS and other retailers? So this is a great question. So I did recently check the stock evaluation for them, and it hasn't hit them, stock wise, it hasn't actually hit them. So that's why I think it is predominantly just going to be on the trust side, to be honest, I think their reputation has been hit very hard.
Yeah, I feel like, you know, something like JD balls, which is obviously a lot more local to the UK, I believe, as a retailer, you know, it won't have as much of a stock market kind of issue. But in terms of breaches such as like, with bigger companies, such as Microsoft and Cisco, which also happened recently, their market shares were heavily affected at the time that he will bounce back purely because of the fact is that even you know, industry giants can be subject to a breach in some form.

The retailer has said it has taken the necessary immediate steps to investigate and respond to the incidents, including working with cybersecurity experts and to be aware of potential fraud attacks. Have you both got any final comments before we end this tech fight today?
In terms of the professionals, you know, no doubt, in situations such as this, where a breach of this size is a giant scam of a they are using. Hopefully the people who have hired to assist them through this difficult time, do implement good procedures, but at the end of the day is is down to the companies themselves. They can hire as you know, as a highest skilled expert as they're one. But if the culture within the businesses doesn't change, then things like this will happen again. So it does essentially become a culture shock to the companies themselves. I
definitely agree with you there, Chris. I think they need to invest more into their cybersecurity to avoid them from having an attack like this again, and finance head of JDS Neil green have stated that they are continuing with a thorough review of their cybersecurity in partnership with external specialists following this incident. Thank you both for joining me on today's Tech by it's been really great having you both on again, and thank you to our tech back listeners for tuning in. Join me next week on another tech bite.