JD Sports Retailer Suffer Cyber Attack

Article by • February 16, 2023

Explore More

JD Sports Retailer Suffer Cyber Attack

JD Sports Sportswear Retailer have suffered a cyber attack that exposed the data of 10 million customers accessed by backers in the attack. The personal data which was exposed includes customer’s names, email addresses, contact details and passwords.

What Happened?

The attack is believed to have been caused by a malicious actor that gained access to the retailer’s IT systems. The company has said that no financial information was compromised in the attack and it is working with authorities to investigate further. JD have now said that they are taking steps to strengthen their security measures to prevent another attack from happening.

What Does This Highlight Going Forward?

The incident highlights the need for companies of all sizes to be vigilant when it comes to data security. It is also worth noting that cyber attacks have become increasingly sophisticated over time and can target any business regardless of its size or sector. Companies should ensure they have robust cyber security measures in place and are regularly updating them to stay ahead of any potential threats.


The data breach at JD Sports enhances the importance of having your cyber security measures securely in place. It is essential for all businesses to protect their customers’ personal information and ensure they are taking steps to prevent cyber attacks from occurring. Here at Pentest People, we are actively identifying and eliminating vulnerabilities in your systems to secure your networks from real life hackers. Learn more about our Penetration Testing Services here.


Today’s headline on Pentest Peoples Tech Bite Sportswear Retailer JD Sports said it was the victim of a cyberattack that exposed the data of 10 million customers assessed by hackers in a cyber attack, the retailer has notified the Information commissioner’s office about the security breach said it was contacting affected customers, warning them to be aware of potential scams.

And I’m joined today with our consultants.

Chris, chris is your first time on a tech bite.

It is, yeah, Thanks for coming on and louis graham.

Thanks for coming on today’s tech bite again.

Lewis, thank you.

Happy to be here.

So what can you tell us about this JD cyber attack?

So lots of things with JD cyberattack, essentially a large amount of customer personal identifiable information was managed to be recovered by malicious attack.

These the information included people’s names, partial sections of payment information and just over identify us that could be used again in cases of potential identity fraud and other such thing.

You know, the kind of information that will lead to some fun finds to do with GDP are talking about identity theft.

Can you explain to our listeners a bit more about identity theft?

So it could lead to stuff like potentially people doing stuff such as you know, either trying to acquire stuff like your own bank funds.

They could sign up for services and stuff like that in your name.

You know, there’s a lot of different things that can happen with it.

But yeah, there’s there’s all sorts of things like, you know, signing up for services, see if people can maybe even like try and go down the route of potentially getting like loans or credit in your name but then it all goes to them mobile phone contracts, you know there’s a lot of different things that people can do and usually it’s you know it’s low level scammers that kind of really try and do the most with identity fraud kind of stuff.

I guess it all depends on what information Yeah, it’s down to what information you’ve actually acquired, how they themselves could figure out how to utilize your information to then benefit themselves at least for a short while until they get caught.

What advice do you both have for people that have had their data leaked?

So in terms of anyone who’s had that data leaked, if it is a case of the have information out and about you know I would heavily suggest things such as passwords are changed, trying to limit the amount of data that you are sharing on the internet itself, me personally, you know on social media accounts, it literally just has my initials, it doesn’t even have my full name on there.

I try and hide as much personally identifiable information that’s out there about myself and is you know having we live in a social media rage.

So it’s a case of you know it is hard to hydro online presence to keep up with friends and family so you know reducing your information to a tiny footprint is probably a good idea.

And just generally just avoiding things such as third party marketing, cookies and all the other trackers and available things out there because all that does is, you know, you giving up your, essentially you’re giving up parts of your privacy to a marketing and advertising and stuff like that, which obviously becomes quite a nuisance in the modern age as well.

Definitely agree with you there chris everyone should be careful what information they make public.

Are there any comments you would like to add?

Yeah, so again, it depends on what type of data has been leaked and if you’ve been made aware of the data that’s been leaked.

So for example, this JD in this league, there’s no passwords have been leaked apparently.

So it’s more more losing their email, their phone numbers and everything can really lead to sort of primarily phishing attacks and phishing.

This is more not necessarily something you can do unless they really want to go about changing their phone number and email, but maybe having correct spam filters on emails could help you with phishing attacks as well as just generally being more knowledgeable in sort of the whole sort of fishing aspect really, would you say?

Two factor authentication is a good one as well to have?

Yes, I mean you should always have to factor authentication, no matter what, I think that’s just an added layer on top of the fishing, I think that helps if you’ve been if you’ve been exploited by a phishing attack that’s when multi factor authentication would help.

So as I’ll just add a little extra point there.

So yeah even even in cases where you know myself I’m signed up to a service where if any of my personally identifiable information has been discovered as part of a breach, I get email alerts of this and then it’s a case of I have multifactor authentication activated on every single online account that I manage myself that I’m aware of.

There’s also the terms of GDPR.

Which essentially being able to sign up to a service, it should also be just as easy to remove your information from that service.

And that was the entire point of GDPR.

in the case of where you sign up and say if you do have a lot of service emails and stuff that comes through You should be able to just send an email to that company and say I want you to remove my information.

I don’t want to use it for marketing or advertising purposes, I don’t want to give it 23rd parties and they have to abide by that and reply within a reasonable time.

Players because even if your passwords get breached, there’s still missing that additional security method to get into your accounts, there’s there’s a lot of time you don’t even know that you’ve actually been a part of a security breach.


A good example of this is a dark invader.

Fantastic, fantastic tools where they can basically find a date on the dark web and you’ll be surprised what you can pull out of them, what you’ve seen.

It’s kind of like scary.


I think a lot of people, especially those who don’t work within the security industry itself,, they don’t understand that there is the fact is that the moment you’ve released your personal information to a company, there is always the chance that someone else is going to get a hold of that information.

So you always need to be wary with what you are providing to companies, how many services you are actually signing up for stuff like, you know, even if you see these like little fun applets and stuff for social media sites where it’s kind of like, hey, I’m going to put a filter on your face, please sign up for our service and then we’ll convert your photo.

These are over.

These are other issues where you don’t know how many steps they’re taking to actually gain a lot more of your information and then you’re also putting a face to your information as well and then that could be in another database that then gets breached and the whole cycle continues.

So reducing services that you think might be a bit Fischer even though the fun at the time it could lead to a position where you have been a victim of identity fraud because of this.

I know me and you chris was speaking earlier on about a friend of mine who used instagram nearly got hacked as they sent her a message saying someone tried to sign into her account but she didn’t have two factor authentication.

I think it’s always important for people for people’s passwords to have a mixture of numbers mixture of symbols.

So it’s hard for hackers to try and guess the passwords of course so generally you know there’s the whole kind of good practices the five random words for passwords that one’s always great using combinations of numbers and letters but yeah you know just just making sure passwords are as random as possible you know Nothing nothing that relates back to yourself and then so yeah in terms of the passwords so passwords and multi factor authentication to go hand in hand while it is a good idea to set strong passwords using you know a lot of randomness in there.

You know even a combination of maybe 3 to 5 words numbers letters symbols.

On top in order to protect yourself.

So as long as you’re getting something like a token or an email or a code that you need to enter alongside it, then at least whoever is potentially going to hack into an account as long as they don’t have access to your authentication methods that are outside of a password.

Well then they’re going to really struggle to get in there.

Yeah, can you give our tech back list there’s some key examples of keeping their data safe.

Password managers is a good one, definitely reading what you’re signing up to.

One of the main ones that I always tell people is whenever you’re signing up for a new service, always make sure the tick boxes that you’re taking are actually read.

Because quite a lot of the times you’ll see it where there’s a combination of have you read our terms and conditions and agree to this but and there’s always that extra tick box just below it which is we may provide your data to third parties.

Are you okay with this the moment you click yes on that one, you have no idea where your data is going because you don’t know where their partners are and it can be quite difficult to find out even from the company themselves who is going to gain access to that information and for what use is there going to have me and you louis mentioned password managers in our last podcast we did, we mentioned was it one password one pass was a great to last pass is a great tool even for the older generation in terms of password managers, even if it’s a case of those who aren’t as clued up and I know this even might sound contradictory, contradictory to quite a lot of best practices that we would supply to clients and stuff like that.

But in terms of personal use and stuff like that, I’d say don’t save your passwords to an actual device on your browser, you know, if you’re using any form of sinking and stuff like that to actually have a consistent profile across all the camps.

I tell older members of my family, you know, if you’re gonna have passwords, have a nice little notebook, hide them in there somewhere and then just make sure that’s kept in a drawer and not out in, you know, out in the open, just keep it hidden away only, you know, which kind of notebook you’ve got that might have some hidden passwords in it, but it’s just to make sure that people are forgetting them as well.

And with the older generation, we do always have to kind of think of solutions that work for them as well.

Those who are not as tech as the younger generations, why is it now that online retail is getting vulnerable and what can be done about this as there has been a shocking rise in the number of cyber attacks perpetrated against online retailers in the past year.


So it’s not only just retail, so we’ve seen a massive spike in, especially ransomware and sort of the past honestly the past month to be honest.

So we’ve had food chains and as well the Royal Mail that we spoke about last week, I think the retail market is ever growing right.

I think physically shopping is becoming more obsolete.

I think retail is just online retail is just becoming even better.

So I think it’s just a thriving place for someone for a hacker to try and retrieve details from it.


I think the retail market itself gets heavily attacked purely because of the mass amounts of data that they will actually be holding.

And the more and more data company is holding, the more and more, you know, it can start to creep and become a lot harder to manage and keeps a cuBA So in terms of online retailers especially with JD and the subsidiaries of JD that were attacked.

You know, there’s there’s companies such as size in there as well I believe.

And I believe there’s going a couple of the groups in there.

But you know there are some high level retailers in that I do see a lot of football and each one of these retailers when you go to their websites now they’re offering either guests check out or let’s make it easy for you will save your payment details will make an account for you and this is where you know, even though they’re offering that service, these retailers do need to look into ways to keeping that data a lot more secure.

And even so I don’t believe a lot of retailers will be offering things such as multifactor authentication because they just see it as like a quick checkout functionality.

So we’re not actually sure well it hasn’t been released yet to what they were vulnerable to security wise so we’re not actually sure if it was fishing or something.

It was just described in the articles as malware in a very kind of rudimentary way about it.

So until it’s kind of released we will be too sure how it was that the got breached.

It’s just something they need to I guess work on isn’t it sort of making sure it’s secure?


So in terms of like operational and technical procedures and stuff like that you know making sure they’ve got good patch management.

Are complying, making sure in the house, you know that they’ve got good managerial procedures as well, you know, locking screens as a bare minimum is one that goes on past in most office places.

Do you think it’s like something to do with more like a like they don’t want to spend money on sort of these sort of services and making sure it’s locked or do you think it’s more just a competency issue where they just don’t think that it would be a problem quite a lot of the time, it seems to be a 50 50 case of competency versus cost and is quite a lot of the time, you know, and I never want to doubt the ability of teams of people that are out there working in similar industry to us.

But unfortunately when something like this happens, you do have to one, unfortunately you’ve got to question the competence and how things have been handled and what kind of management procedures are in place to handle these things in future.

And what kind of disaster recovery procedures are now going to happen in order to reduce this and what they’re gonna do moving forward is to stop it happening again.

I think it’s hindsight is a wonderful thing, isn’t it?

Yeah, I think it is.

I think, I think at first glance, right, if you haven’t been hacked like this before, you probably wouldn’t think much of it, but I’m sure they’re going to probably after this very uptight with this.

So someone such as myself who has worked, you know, both on the red team side of things and working as a network security officer, it is one of those kinds of things where for us guys obviously we see every vulnerability working, doing red team work.

But then when it comes to the actual defensive side of things, you know, there’s always that red tape around being able to achieve the levels of security that you want to achieve.

So that’s where the costing comes in more than anything but also the size of workloads operate decent patch management cycles and you know make sure maintenance is kept up with what’s also dealing with day to day queries.

So it is one of those kinds of things where a lot of there is a lot of creep to the workload and unfortunately these big blunders eventually come out with at the end of the day should be seen more investment to be honest.

I think what you put into it, you know the amount of X.

Amount you put into it.

Yes definitely.

You’re gonna lose, weigh less than if you were hacked like JD.

For example.


And even with such things such as the cyber insurance marketplace at the moment now, so back when cyber insurance was originally kind of introduced as a feature that like companies could sign in for from like insurance providers.

We’re now actually at the point where these breaches that are recurring you know almost weekly now causing even the premiums to go up that massively that it’s actually cheaper for companies to just invest correctly instead of paying for cyber insurance.

I think it’s not only just monetary value that they’re losing.

I think it’s all in reputation, reputation, customer trust is a massive reputation always is the main thing that comes before is the reputation that will affect them in the long run especially because now retail online retail is massive compared to physically shopping yourself, you know, I think someone’s going to second guess about now, shopping at JD.

Definitely, what do you think the future looks like for JD’s and other retailers?

So this is a great question.

So I did research check the stock evaluation for them and it hasn’t hit them stock wise, it hasn’t actually hit them.

So that’s why I think it is predominantly just going to be on the trust side to be honest.

I think their reputation has been hit very hard.

Yeah, I feel like you know, something like JD Sports, which is obviously a lot more local to the UK, I believe is a retail log, you know, it won’t have as much of a stock market kind of issue, but in terms of breaches such as like with bigger companies such as Microsoft and Cisco, which also happened recently, their market shares were heavily affected at the time, but it will bounce back purely because of the fact is that even, you know, industry giants can be subject to a breach in some form.

The retailer has said it has taken the necessary immediate steps to investigate and respond to the incidents, including working with cybersecurity experts and to be aware of potential fraud attacks.

Have you got any final comments before we end this tech bike today, in terms of the professionals, you know, no doubt in situations such as this where a breach of this size is a giant scare.

Hopefully they are using hopefully the people who have hired to assist them through this difficult time do implement good procedures, but at the end of the day is down to the companies themselves, they can hire as, you know, as higher skilled experts as they want.

But if the culture within the businesses don’t change, then things like this will happen again.

So it does essentially become a culture shock to the companies themselves.

I definitely agree with you there chris I think they need to invest more into their cyber security to avoid them from having attack like this again, finance head of JDS has stated that they are continuing with a full review of their cyber security in partnership with external specialists following this incident, thank you both for joining me on today’s Tech Bite.

It’s been really great having you both on again and thank you to our Tech Bite listeners for tuning in, join me next week on another TechBite.


Lewis is the Marketing Manager here at Pentest People. Handling our brand identity, event planning and all promotional aspects of the business.