On Monday, fashion giant JD Sports was targeted in a shocking cyber attack that may have exposed the personal and financial information of 10 million customers.
The incident, which impacted shoppers who placed orders between November 2018 and October 2020, potentially revealed customer names, delivery, billing, email addresses, phone numbers, and the last four digits of payment cards.
The data breach included people who shopped at JD, as well as the group’s Size, Millets, Blacks, Scotts, and MilletSport brands.
The sportswear firm has since reassured shoppers that hackers did not access their full payment data or their account passwords. However, customers are being urged to stay vigilant over scam emails, calls and texts from people posing as the retailer.
The JD Sports incident is yet another example of the rise in cyberattack incidents, with the retail industry experiencing a 90% increase in ransomware attacks last year, according to a report from SonicWall.
But why was JD targeted in this way? What implications will the retailer face and what does the attack tell us about the need for wider security reform in the industry?
As a result of the cyber attack, JD Sports could be facing a fine of more than £17 million.
“The aggravating factors here are the numbers involved, the personal data accessed and the length of time since the infringement,” Jonathan Compton, partner at city law firm DMH Stallard said.
Compton believes JD can expect fines up to the higher maximum permitted under Part 6 of the Data Protection Act 2018.
“The higher maximum amount is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher,” he adds.
Indeed, such data breaches can have devastating repercussions for retailers. However, while such fines are clearly detrimental, reputational damage and loss in consumer trust can also cause irreparable harm which may last much longer than a short-term fine.
In response to the cyber attack, JD said it is engaging with the UK’s Information Commissioner’s Officer and insists that protecting customer data is an “absolute priority” for the company.
However, Check Point Software security engineer Muhammad Yahya Patel believes the attack triggers fundamental questions about how JD is storing and safeguarding customer information.
“In this case we see historic data has been affected, which raises questions regarding the volume of information being stored and what security is being implemented around it,” he says.
“As consumers, we trust retailers to secure our sensitive details. A breach of this size, or indeed any size, erodes that trust, which can be hard to recover.”
With the Retail Trust Index revealing that 50% of consumers don’t feel retail brands are doing enough to protect their online data, cyber attacks clearly have the potential to severely damage the reputation of a business.
“For too long retail brands have been focused on the collection and mining of the personal data of their consumers with scant regard for the potential consequences,” Empathy.co Angel Maldonado chief executive said.
“JD Sports is, unfortunately, a prime example of this with the latest analysis highlighting it as the worst offender in UK retail when it comes to the use of intrusive online data tracking practices.
“As it stands only 16% of consumers trust JD sports – with more than 10 million consumers affected by this breach, we can only expect this mistrust to worsen. It’s vital to improve consumer trust in this sector, we see more brands in retail wakening up and taking a new approach to giving the protection of customer data the priority it deserves.”
While the sports retailer was quick to communicate to the affected consumers and alleviate concerns about bank details being accessed, there is clearly fundamental operational issues around security that must be addressed.
The wider industry
“A question remains as to whether consumers are becoming numb to the large-scale customer data breaches that are rapidly becoming the norm,” Darktrace head of threat research Hanah Darley said.
Indeed, such data breaches are becoming increasingly common, indicating that the wider retail industry must take notice.
“While this event is, of course, unfortunate, it is one of many attacks against the retail and manufacturing sector, highlighting a clear need for the industry to assess how it handles cyber security and the personal information of its customers,” CybSafe chief executive Oz Alashe MBE said.
In fact, CybSaf research reveals that the retail sector is by far the most vulnerable to such attacks. In the 2021/2022 financial year, the industry accounted for more than 1 in 5 total cyber attacks. Moreover, the sector has seen a notable increase in ransomware attacks, rising 7% compared to the previous year, accounting for 32% of total cyber attacks.
“Within the retail sector, trust is essential. Customers want to be confident that their personal information is protected, especially in the new age of online shopping,” Alashe adds.
SANS Institute UK and Ireland director John Davis also believes that cybercriminals are “levelling up” with more prevalent and sophisticated attacks that are harder to detect.
“Brand reputations and relationships with customers are on the line. Customers will reward businesses who can persuade them they are best equipped to manage their data,” he says.
With complex and sprawling digital estates that store an enormous amount of customer information, retailers are especially vulnerable to cyber attacks. While consumers may be used to news like this, shoppers and retailers alike must stay vigilant.
“JD Sports’ data breach reminds us that no organisation is safe, and everyone has a role to play in digital fortification,” Davis adds.
“Following a huge number of high-profile security breaches just in the past year, we’ve learnt that budget alone is not enough to implement adequate defences.”