JD Sports is contacting customers affected by a cyber attack that may have exposed their personal details.
The incident affected 10 million people who placed orders between November 2018 and October 2020.
Customer names, shipping addresses, billing and email addresses, phone numbers, and the last four digits of bank cards could all have been compromised.
It includes people who shop on JD.com as well as the group’s Size, Millets, Blacks, Scotts and MilletSport brands.
The sportswear company believes account passwords were not accessed and assured those affected that their full payment card details were not taken.
However, they are warned to beware of scam emails, phone calls and text messages.
In an email to customers, JD Sports said: “We take the protection of customer data very seriously, and we apologize that this happened.”
The company said it was in contact with the UK’s Information Commissioner’s Office about the attack.
“We have immediately taken the necessary steps to investigate and respond to the incident, including working with leading cybersecurity experts,” the company added.
Neil Greenhalgh, chief financial officer of JD.com, said: “Following this incident, we will continue to conduct a comprehensive review of our network security, working with external experts.
“Protecting our customers’ data is an absolute priority for JD.”