The breach affected online shoppers at Blacks and Millets. Photo: Bob Smith/grough

Customers of JD Sports, including the outdoor brands Millets and Blacks, have been warned the company was subject to a cyber attack.

JD Sports said data relating to some online orders placed by up to 10 million people between November 2018 and October 2020 may have been obtained during the incident.

In a statement, the company said: “The affected data is limited. JD Sports does not hold full payment card data and, further, has no reason to believe that account passwords were accessed.

“The information that may have been accessed consists of the name, billing address, delivery address, email address, phone number, order details and the final four digits of payment cards of approximately 10 million unique customers.

“We have taken the necessary immediate steps to investigate and respond to the incident, including working with leading cyber security experts.”

JD Sports said it is engaging with the relevant authorities, including the Information Commissioner’s Office and was working with cyber security experts.

“We are proactively contacting affected customers so that we can advise them to be vigilant to the risk of fraud and phishing attacks. This includes being on the look-out for any suspicious or unusual communications purporting to be from JD Sports or any of our group brands.

JD Sports chief financial officer Neil Greenhalgh said: “We want to apologise to those customers who may have been affected by this incident.

“We are advising them to be vigilant about potential scam emails, calls and texts and providing details on how to report these. We are continuing with a full review of our cyber security in partnership with external specialists following this incident.

“Protecting the data of our customers is an absolute priority for JD.”