U.K.-based sports retailer JD Sports has called on law firm Fieldfisher after it was hit by a cyber attack that could affect around 10 million customers. 

The attack, which was revealed by the company on Monday, has resulted in the unauthorised access to a system that contained customer data connected to online orders placed between November 2018 and October 2020, the retailer said in a statement published to the London Stock Exchange.

The compromised data includes customer names, billing and delivery addresses, email addresses, phone numbers, and the final four digits of payment cards. The company added that the affected data was "limited".

U.K. law firm Fieldfisher is advising the company through the matter, a person with knowledge of the attack said. The firm has boosted its European tech and cyber credentials in recent years, making tech partner Rob Shooter its managing partner in 2021, and, capitalising on the surge in cyber threats, launching a dedicated mass litigation unit in Berlin for legal tech and operations.

Law firms across the U.K. have been scaling up their cyber teams amid a spike in high profile attacks on companies such as hotel chain Marriott in 2019, which brought in Freshfields Bruckhaus Deringer to advise. In particular, companies across the west have been bracing against potential Russia-backed attacks since Putin's full scale invasion of Ukraine in 2022.

Given their rich pools of client data, law firms themselves have become common targets. Notably in 2017, DLA Piper was hit by a major cyber attack, which knocked out phones and computers across the firm. More recent targets include Goodwin Procter and CMS, while in November, Cadwalader Wickersham & Taft reported an email network outage that prompted it to wipe the hard drives of firm-issued computers and take many of its internal systems offline.