back to article JD Sports admits intruder accessed 10 million customers' data

Sports fashion retailer JD Sports has confirmed miscreants broke into a system that contained data on a whopping 10 million customers, but no payment information was among the mix. In a post to investors this morning, the London Stock Exchange-listed business said the intrusion related to infrastructure that housed data for …

  1. wolfetone Silver badge

    "Protecting that data of our customers is an absolute priority for JS"

    Bullshit.

    1. jonha

      Nope. They take security EXTREMELY seriously.

      As always. As do all the others, like BA or TalkTalk.

      So no reason at all to worry.

      1. Version 1.0 Silver badge

        Hackers take security EXTREMELY seriously because you can make a lot of money from it, but if you are the company boss then your first thought might be that security is expensive... so being hacked might save you money. I'm not gaslighting, it's just that the modern data environment prioritizes access everywhere, security is just a "feature" these days.

  2. Gene Cash Silver badge
    Facepalm

    has enlisted the help of "leading cyber security experts."

    How 'bout doing that BEFORE you're hacked? Doesn't this imply you weren't taking due care?

  3. Missing Semicolon Silver badge
    Unhappy

    All lies

    There is also this https://www.reddit.com/r/DevelEire/comments/zjw07x/jd_sports_data_from_15_million_users_leaked/

    Not a "hack". The usual unprotected bucket. Totally liable.

    1. Black Label1
      Black Helicopters

      Re: All lies

      Agree 100%

  4. Anonymous Coward
    Anonymous Coward

    Had An E-Mail from JD Sports..... in Portuguese

    Nothing from JD sports for 7 years, then suddenly an e-mail from them in Portuguese.

    The web addresses of inbuilt links point to the UK website, and the translation of the text (some, i did not select all) indicates it is about a security breach.

    Haven't a clue why it is in Portuguese.

    1. Yet Another Anonymous coward Silver badge

      Re: Had An E-Mail from JD Sports..... in Portuguese

      Haven't a clue why it is in Portuguese.

      Security, how many Chinese super ninja cyber warriors speak Portuguese? Taps side of nose, knowingly

      1. Neil Barnes Silver badge
        Headmaster

        Re: Had An E-Mail from JD Sports..... in Portuguese

        Wasn't Macau a Portuguese colony? Perhaps it's still spoken there, as in Goa?

  5. elsergiovolador Silver badge

    JD

    I am sick and tired of recruiters asking "do you want to see JD?"

    Why would I want to? Duh...

  6. Falmari Silver badge
    Devil

    no payment information was among the mix

    "miscreants broke into a system that contained data on a whopping 10 million customers, but no payment information was among the mix."

    Sure of course not that information never is! Seems ever time these these companies report their servers got hacked the hackers never get away with payment information.

    "The company does "not hold full payment card details" and said that it has "no reason to believe that account passwords were accessed.""

    And like every other company that has been hacked they are unable to see any reason for them to believe account passwords were accessed. No reason! You've been fucking hacked what more of a reason do you need?

    1. Claptrap314 Silver badge
      Boffin

      Re: no payment information was among the mix

      So, uhh, yeah. This has been a security feature at a LARGE number of places for almost two decades. Credit card data is stored with a separate company, who provides only a token. That token is stored as part of the user record. The separate company actually processes all credit card charges, and only accepts connections from the IP address that the merchant uses for those purposes, and only credits the merchant's account.

      So this one, I believe.

    2. SloppyJesse

      Re: no payment information was among the mix

      > Seems ever time these these companies report their servers got hacked the hackers never get away with payment information.

      Because PCI DSS - https://listings.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf

      Unlike retailers when storing personal details, the credit card networks (Mastercard, Visa, etc) do take security seriously. They're still not perfect, but security requirements around the actually payment information is significantly more than 'just' personal data.

      1. EnviableOne

        Re: no payment information was among the mix

        Mastercard and VISA are no better than the retailers, after all they are just processing networks.

        FFS there are not even rate limits on transactions from the same vendor, or IP or even for the same card.

        based on the "Card-holder not present" workflow, you can brute force a valid set of card details, as by mixing processors you can get incrementally more details, and the card network tell you not just that the details are invalid, but which ones are wrong.

        but its all moot anyway, the details that were leaked are far more valuable to any miscreant than the card data would have been.

        full address details, security answers and transaction details will get you full access to their credit profile and leverage for extortion...

  7. Phil Kingston

    Yet again we're left asking why do they keep that information in the first place? Use it, delete it. There's no reason private information on someone's online order from 5 years ago should still be kept.

    1. A Non e-mouse Silver badge

      Data Protection rules state that you shouldn't keep data for longer than is strictly necessary. Keeping data "Just because" is not a valid reason.

    2. that one in the corner Silver badge

      OTOH being able to look back over my order history is quite useful: ah, I was right, I *did* order one of those doodads 6 years ago, but it was sent to Bert directly for his birthday. And I did buy that book and it was sent to my current address, not imagining it, so worth carrying on looking to see where it got buried.

      So how much of the order data is there absolutely "no reason at all to keep"?

  8. A Non e-mouse Silver badge
    Mushroom

    They had an "expert" on the BBC this morning telling people to keep their data safe from these kinds of leaks they have to use good passwords. Their expert clearly doesn't know much about IT security if they think that's how 10 millions users' data was leaked.

  9. Missing Semicolon Silver badge
    FAIL

    Timelines

    The data was leaked last year. Why am I only receiving the mail this week? Surely sitting on the issue for months is illegal?

  10. Duffaboy
    Joke

    Dear JD Sports customer, if you do not pay us 1 Million in Bitcoins

    Then we shall with hold your trainer and shellsuit order you have 24hours to comply.

  11. Mark Dirac

    Let's keep this one quiet boys

    I received their email. Short and lacking in detail. So inadequate that I imagined the email to be fake. I went to JD Sports's website to confirm validity of their email. Nothing - no mention whatsoever. I visited their corporate website www.jdplc.com. No mention. No news. Dismissed.

    JD SPorts are certainly trying to keep this one quiet.

  12. AdagioForStrings

    Only Limited Data Stolen

    According the email I received, only limited data was stolen.

    "Only limited information was held on this database consisting of full name, delivery and billing address(es), email address, phone number, final 4 digits (only) of payment card and/or order details."

    That limited data included my full name, billing and delivery addresses, email address, and mobile phone. So everything needed to impersonate me or scam me then. Pretty damn sure that covers most of the PII.

    1. Tony.
      Holmes

      Re: Only Limited Data Stolen

      Data was limited to only the data they had!

  13. Plest Silver badge
    Facepalm

    "Yeah, someone broke into the house, rifled through my wife's unmentionables and took a few snaps for fun and then left. I'm not worried about it, all they got was an erection and some pics of my bathroom and the kitchen, it'll be fine."

    SAID NO ONE EVER!!

  14. GruntyMcPugh

    "Sports fashion retailer JD Sports"

    Should "fashion" be in quotes? I see kids wearing baggy crotch carrot leg trackies, and well, it might be "fashion" but it's not stylish. Discuss.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like