JD Sports has notified customers of a data breach, although it says “the affected data is limited.”

JD Sports published a notice on January 30 that it had suffered a “cyber incident” in which a hacker gained unauthorized access to customer data involving online orders that were placed between November 2018 and October 2020. Despite the amount of data accessed, the company says the data does not include full payment information, nor does it have any reason to believe account passwords were breached.

Despite the reassurance, the company says the compromised data does include “the name, billing address, delivery address, email address, phone number, order details and the final four digits of payment cards of approximately 10 million unique customers.”

“We want to apologise to those customers who may have been affected by this incident,” said Neil Greenhalgh, JD Sports CFO. “We are advising them to be vigilant about potential scam e-mails, calls and texts and providing details on how to report these. We are continuing with a full review of our cyber security in partnership with external specialists following this incident. Protecting the data of our customers is an absolute priority for JD.”