JD Sports admits intruder accessed 10 million customers' data Sports fashion retailer JD Sports has confirmed miscreants broke into a system that contained data on a whopping 10 million customers, but no payment information was among the mix. In a post to investors this morning, the London Stock Exchange-listed business said the intrusion related to infrastructure that housed data for …
Hackers take security EXTREMELY seriously because you can make a lot of money from it, but if you are the company boss then your first thought might be that security is expensive... so being hacked might save you money. I'm not gaslighting, it's just that the modern data environment prioritizes access everywhere, security is just a "feature" these days.
Nothing from JD sports for 7 years, then suddenly an e-mail from them in Portuguese.
The web addresses of inbuilt links point to the UK website, and the translation of the text (some, i did not select all) indicates it is about a security breach.
Haven't a clue why it is in Portuguese.
"miscreants broke into a system that contained data on a whopping 10 million customers, but no payment information was among the mix."
Sure of course not that information never is! Seems ever time these these companies report their servers got hacked the hackers never get away with payment information.
"The company does "not hold full payment card details" and said that it has "no reason to believe that account passwords were accessed.""
And like every other company that has been hacked they are unable to see any reason for them to believe account passwords were accessed. No reason! You've been fucking hacked what more of a reason do you need?
So, uhh, yeah. This has been a security feature at a LARGE number of places for almost two decades. Credit card data is stored with a separate company, who provides only a token. That token is stored as part of the user record. The separate company actually processes all credit card charges, and only accepts connections from the IP address that the merchant uses for those purposes, and only credits the merchant's account.
So this one, I believe.
> Seems ever time these these companies report their servers got hacked the hackers never get away with payment information.
Because PCI DSS - https://listings.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf
Unlike retailers when storing personal details, the credit card networks (Mastercard, Visa, etc) do take security seriously. They're still not perfect, but security requirements around the actually payment information is significantly more than 'just' personal data.
Mastercard and VISA are no better than the retailers, after all they are just processing networks.
FFS there are not even rate limits on transactions from the same vendor, or IP or even for the same card.
based on the "Card-holder not present" workflow, you can brute force a valid set of card details, as by mixing processors you can get incrementally more details, and the card network tell you not just that the details are invalid, but which ones are wrong.
but its all moot anyway, the details that were leaked are far more valuable to any miscreant than the card data would have been.
full address details, security answers and transaction details will get you full access to their credit profile and leverage for extortion...
OTOH being able to look back over my order history is quite useful: ah, I was right, I *did* order one of those doodads 6 years ago, but it was sent to Bert directly for his birthday. And I did buy that book and it was sent to my current address, not imagining it, so worth carrying on looking to see where it got buried.
So how much of the order data is there absolutely "no reason at all to keep"?
I received their email. Short and lacking in detail. So inadequate that I imagined the email to be fake. I went to JD Sports's website to confirm validity of their email. Nothing - no mention whatsoever. I visited their corporate website www.jdplc.com. No mention. No news. Dismissed.
JD SPorts are certainly trying to keep this one quiet.
According the email I received, only limited data was stolen.
"Only limited information was held on this database consisting of full name, delivery and billing address(es), email address, phone number, final 4 digits (only) of payment card and/or order details."
That limited data included my full name, billing and delivery addresses, email address, and mobile phone. So everything needed to impersonate me or scam me then. Pretty damn sure that covers most of the PII.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
