JD Sports has warned 10 million customers that their personal data may have been compromised after it was targeted by hackers.

Shoppers who used websites for JD Sports, Size? or Black and Millets between November 2018 and October 2020 may have been affected.

The information that may have been accessed consists of the name, billing address, delivery address, email address, phone number, order details and the final four digits of payment cards.

JD Sports said it does not hold full payment card data and has no reason to believe that account passwords were accessed.

The company said customers should remain vigilant to the risk of fraudulent activity as its chief financial officer today apologised to those affected by the data breach.

It said hackers gained unauthorised access to a system that contained customer data relating to some online orders placed between November 2018 and October 2020.

“We have taken the necessary immediate steps to investigate and respond to the incident, including working with leading cyber security experts,” said the company in a statement. “We are engaging with the relevant authorities, including the UK’s Information Commissioner’s Office (ICO), as necessary.”

Chief financial officer Neil Greenhalgh added: “We want to apologise to those customers who may have been affected by this incident.

“We are advising them to be vigilant about potential scam emails, calls and texts and providing details on how to report these.

“We are continuing with a full review of our cyber security in partnership with external specialists following this incident. Protecting the data of our customers is an absolute priority for JD.”

It is the latest high-profile cyber attack on a British company. British Airways, Marriott Hotels and Royal Mail are among those that have been targeted.

Before Christmas the car dealer and rental firm Arnold Clark had information including addresses, passports and national insurance numbers leaked on the dark web by criminal gang Play.

The Guardian newspaper was also subject to a ransomware attack last month.