JD Sports details cyber security revamp following January attack

JD Sports has confirmed it will be refreshing its cyber security stack following the serious cyber attack it sustained at the start of the year.

In a regulatory filing published on Wednesday, the retail group said it has appointed a third-party consultancy that will work to create a “better-integrated cyber vendor ecosystem” for the company.

“The Group has appointed Boston Consulting Group who will work with best-in-class suppliers to design key tactical and strategic solutions for an efficient and better-integrated cyber vendor ecosystem,” read the company’s financial year-end statement. 

“We are confident that this multi-vendor approach is the best solution to deliver outcomes at pace whilst ensuring value for money.”

Additionally, JD Sports has appointed an interim chief information security officer (CISO) to oversee the strengthening of its cyber security posture while the company continues its search for someone to fill the role permanently.

It said the company is also recruiting for a chief information technology officer (CITO) too. 

The CISO role will most likely handle the company’s wider cyber security strategy, while the person hired for the CITO role will focus their time on ensuring the company’s technology - hardware and software - meet the cyber security ambitions set by the CISO.

JD Sports owns a number of high street retail brands, including JD, Go Outdoors, Size?, Blacks, Scotts, and Millets.

Many of these companies were thought to have been affected by the January cyber attack, which at the time JD Sports said potentially affected 10 million customers.

In a statement, the business said that “affected data is limited” - referring to the nature of the data that was exposed to attackers - and the messaging remains the same in today’s regulatory filing.

“On 30 January 2023, the Group announced that it had been the target of a cyber incident which resulted in the unauthorized access to a system that contained customer data relating to some online orders placed between November 2018 and October 2020,” it said. 

“Whilst the affected data was limited, the Group took the necessary immediate steps to investigate and respond to the incident, including working with leading cyber security experts. The Group also engaged with the relevant authorities, including the UK's Information Commissioner's Office (ICO), as appropriate.”

The ICO has told JD Sports that it won’t face any enforcement action as a result of the incident but has identified areas in which the business must demonstrate improvement.

Neither JD Sports nor the ICO has revealed what these specific areas were. ITPro has approached both for additional comment.

Enforcement action can relate to a number of different types of punishment. According to the ICO, powers can include enforcing cooperation with an official audit to check compliance to service obligations, an enforcement notice that sets out required steps to maintain legal compliance, monetary fines, legal prosecution, and reporting to Parliament.

Failure to comply with an enforcement notice can lead to legal prosecution and the issuing of “more substantial fines” of up to £17.5 million or 4% of a company’s annual turnover, whichever is higher.