Data security in the wake of the JD Sports data breach

On 30th January 2023, leading trainer and sports fashion retailer JD Sports communicated to over 10 million of its customers that it had experienced a data breach following a cyber attack in which its servers were maliciously accessed by a third party hacker. The attack involved the personal data of customers who had placed orders with JD Sports as well as other JD Sports group companies, such as Millets, MilletSports, Scotts, Size?, JD and Blacks between 2018 and 2020. The information affected included its customers’ names, telephone numbers, email addresses, home addresses and last 4 digits of the card used for the payment.

Unfortunately, breaches of this nature are not uncommon. In 2022, a report conducted by IBM found that 83% of organisations have experienced a data breach, with 45% of these breaches being cloud-based. Whilst they may not be rare, data breaches are serious and even a relatively small one can have a devasting effect on a company if it is not handled properly. Adverse effects can reach all corners of a business as these may include claims for compensation and regulatory action as well as reputational damage which can affect the ability to continue trading for a significant period of time, so minimisation of these effects is key.

Having an understanding of what a data breach is will help identify whether one has occurred. Action must be taken immediately to provide best protection and minimise those adverse effects mentioned above. Therefore, identifying whether a breach has occurred should be afforded urgent attention. According to the Information Commissioner’s Office (ICO), a personal data breach is defined as a security incident that has affected the confidentiality, integrity or availability of personal data.

Data breaches can be caused in various different ways, both deliberate and accidental, but what is most important is the speed and efficiency of your reaction once you have identified that a data breach has occurred.

In the case of JD Sports, it quickly sought assistance from cybersecurity experts and notified the affected customers before a full investigation had been completed (which remains ongoing). This is not unusual as full and detailed investigations into the cause of data breaches can take months, and initial steps need to be taken in order to ensure best protection for both the data subjects as well as the organisation. In reacting quickly, JD Sports is likely to have reduced the adverse effects of the breach.

rradar can assist with all stages of data breaches, from preparing internal processes to ensure an organisation is ready to respond quickly to a breach, as well as representation in the event of claims for damages. If you would like to speak to our data team, please contact contactus@rradar.com