Customer names, delivery, billing, email addresses, phone numbers, and the last four digits of bank cards were potentially exposed.
It includes people who shopped at JD as well as the group’s Size, Millets, Blacks, Scotts, and MilletSport brands.
The sportswear company does not believe account passwords were accessed, and has assured people affected that their full payment card details were not held. They are however are being warned to watch out for scam emails, calls, and texts.
In an email to customers, JD Sports said: “We take the protection of customer data extremely seriously and we are sorry this has happened.”
The company has said it is engaging with the UK’s Information Commissioner’s Office about the attack.
“We have taken the necessary immediate steps to investigate and respond to the incident, including working with leading cyber security experts,” the firm added.
Neil Greenhalgh, chief financial officer of JD, said: “We are continuing with a full review of our cyber security in partnership with external specialists following this incident.
“Protecting the data of our customers is an absolute priority for JD.”