JD Sports cyber attack: what to do if your data has been leaked

Data relating to 10 million customers of the sports and fashion chain may be at risk

The sports and fashion chain JD Sports has fallen victim to a cyber attack, with data relating to 10 million customers potentially at risk. 

If you placed an order with JD Sports, Blacks, Millets, Millets Sport, Scotts or Size? between November 2018 and October 2020, your data may have been accessed by hackers. 

Here, we explain what data has been leaked and the steps you can take if you've been affected.


Sign up for free Which? scam alert emails to find out about the latest scams news and advice.


What's happened to my data?

JD Sports has confirmed a 'limited' amount of customer data has been obtained by hackers.

The information that may have been accessed includes a customer's name, billing address, delivery address, email address, phone number, order details and the final four digits of their payment card.

JD Sports says it does not hold full payment card details and does not believe passwords to online accounts were accessed.

The retailer says it has taken the necessary steps to investigate and respond to the incident and is engaging with the relevant authorities.

You'll be contacted by JD Sports directly if your data is at risk.

What to do if you're affected

Person on phone worried

Keep an eye on your accounts

If your personal information was compromised, it's wise to keep an eye on your bank accounts and credit report over the next few months.

Contact your bank immediately if you see anything unusual and explain that you've been the victim of fraud.

It's important to check your credit report to ensure accounts aren't taken out in your name. You should contact Action Fraud, the UK’s national fraud and internet crime reporting centre, if you see anything suspicious.

Be on your guard against scams

Be wary of any suspicious emails, calls or fake 'customer support' messages popping up on social media regarding the breach, as scammers might try to take advantage.

JD Sports also advises that you keep on the lookout for any unusual communications that purport to be from JD Sports or any of its brands. Don't click on any links if the email or text seems suspicious.

If you're contacted by anyone over the phone asking you for personal details or passwords, take steps to check their true identity.

Ask them to give you details that only the company they claim to be calling from would know. For example, details of your service contract, or how much you pay per month.

If you still have concerns about the caller's identity, you should hang up and call the company back. If possible, use a different telephone to check the validity of the phone call.

Bear in mind that scammers may have access to more of your personal information than you might think. If you're at all suspicious, hang up the phone, look up the organisation's number and call it yourself.

If your data is lost and it causes you financial damage or distress, you may be able to make a claim for compensation from the organisation that lost it.

How to protect your data

  • Passwords – Always set strong passwords for your accounts and don’t use the same ones across different accounts
  • Two-factor authentication (2FA) – Wherever possible, turn on 2FA to increase security, particularly if your account holds your financial information. Don’t use SMS, but use an authenticator app or even a hardware token if possible.
  • Credit card details – Don’t save your credit card details if you aren’t going to use the service regularly. Although it’s a faff to resubmit them, that’s better than having your financial information unnecessarily stored in a database that could be compromised.
  • Guest checkout – Similar to the above, check out as a guest if you aren’t going to use the service regularly. Only create an account if you really need to.