August 10, 2021
FatFace, a British clothing and fashion accessories retailer, has suffered a pretty severe data breach incident which it chose to keep secret for two full months. When the relevant notifications finally reached the compromised customers, the company surprised them even more by asking them to keep the information confidential, essentially shifting responsibility to them. That wasn’t exactly welcomed by the retail chain customers, who went onto social media and shamed the firm for its approach in handling this.
The details that have been compromised include the following:
The event took place on January 17, 2021, so more than two months have passed since then. While partial payment card information isn’t enough to perform purchases, many of the FatFace customers report that they have been receiving weird phishing messages lately. The firm says that the threat was identified and mitigated immediately, the ICO has already been informed, and that its website remains fully operational and totally safe to use.
Today, the FatFace staff got informed about the breach, and for them, the situation is a tad bit worse. According to a leaked internal memo that Forbes obtained, the company informed its employees that their bank details, including sort codes and account numbers, have been compromised. In addition to this, the infiltrators could have stolen the staff’s National Insurance numbers, home addresses, phone numbers, and partial payment card information.
In both cases, FatFace is planning to offer a 12-month membership on Experian Identity Plus, helping staff and customers stay protected against identity theft or banking fraud attempts. In any case, if you see any signs of trouble, make sure to report them to your bank immediately before things get out of control.
Indeed, FatFace hasn’t handled this incident properly, endangered its customers for over two months, and ultimately had the audacity to ask them to keep the breach a secret. This is not how things work today, and the backlash they got from following this approach should be a lesson to everyone. Cyber-attacks happen, firms are constantly bombarded by malicious actors, so if something bad occurs, you’d better take responsibility and inform everyone immediately.