FatFace in cyber hack, blasted for trying to keep it quiet

By

Nigel TAYLOR

Published
Mar 26, 2021

FatFace has been left red-faced on two counts. The UK fashion retailer has only just told customers that their personal and card details could be at risk after its systems were hacked in January. And the business then asked customers to keep the information confidential, although it said this was due to the nature of the emails it was sending that were of a confidential nature.

Fat Face has admitted it had been the subject of a “sophisticated criminal attack” to it systems but has yet to disclose how many customers had been affected. 

In an email to affected customers headed 'Strictly private and confidential - Notice of security incident', chief executive Liz Evans said the retailer had “identified some suspicious activity within its IT systems” on 17 January.

It added: “We immediately launched an investigation with the assistance of experienced security specialists, who, following thorough investigation, determined than an unauthorized third party had gained access to certain systems operated by us during a limited period of time earlier the same month”.

The email goes on to claim that “FatFace quickly contained the incident”.

However, it added: “Please do keep this email and the information included it within it strictly private and confidential”.

Under the UK data protection laws, a company must disclose a data breach within 72 hours of becoming aware of an incident. But there are no legal requirements on the customer to keep the information confidential. 

And the email hasn’t gone down well with the retailer’s customers, many of whom have taken to social media to show their dissatisfaction at the company’s delayed response and attempt to keep the hack confidential.

While some personal information could have been accessed, FatFace insisted full payment details had not been put at risk.

Evans said: “Payment card information cannot be misused for fraudulent transactions, so you do not need to cancel your payment card on this basis. Further, no other financial data relating to you was involved in this incident”.

Those who received the email from FatFace were told “to remain vigilant to everyday phishing attempts including any risk of identity theft and fraud”, check their bank and card statements regularly and keep an eye on their credit files for any evidence that accounts had been opened by identity thieves in their name.

Affected shoppers were also offered a free 12-month subscription to the credit reference agency Experian's 'Identity Plus' service. 

The chain, which has more than 200 UK stores across the UK, said it has taken various additional steps to further strengthen the security of its systems. 

Although FatFace has yet to make a public announcement, in a statement seen by Techcrunch and sent via crisis communications firm Kekst CNC, FatFace said: “The notification email was marked private and confidential due to the nature of the communication, which was intended for the individual concerned. Given its contents, we wanted to make this clear, which is why we marked it private and confidential”, according to an unnamed spokesperson.