FatFace Was Hacked and It Delayed Notice Distribution for Two Months

• UK retailer FatFace has had a data breach incident that was kept a secret for over two months.
• The customers were eventually informed about it but asked to keep it confidential.
• The backlash has sent a clear message that data breaches cannot be kept under the rug.

FatFace, a British clothing and fashion accessories retailer, has suffered a pretty severe data breach incident which it chose to keep secret for two full months. When the relevant notifications finally reached the compromised customers, the company surprised them even more by asking them to keep the information confidential, essentially shifting responsibility to them. That wasn’t exactly welcomed by the retail chain customers, who went onto social media and shamed the firm for its approach in handling this.

Hey @FatFace, you don't get to email me about a data breach, and then ask me to keep it confidential. That's not how this works. Also, waiting 2 months to inform your customers is pretty poor showing.

— Simon Lambert (@snow_gibbon) March 24, 2021

@FatFace thanks for sharing my personal data due to your security breach ... and taking 2 months to warn me. Just hope I'm not a victim of identity theft now. And you have the cheek to tell customers to keep the email contents confidential- guess so you don't damage your brand😡

— Rafaby (@Abigail13625947) March 24, 2021

The details that have been compromised include the following:

• First name and surname
• Email address
• Address details
• Partial payment card information - last 4 digits and expiry date

The event took place on January 17, 2021, so more than two months have passed since then. While partial payment card information isn’t enough to perform purchases, many of the FatFace customers report that they have been receiving weird phishing messages lately. The firm says that the threat was identified and mitigated immediately, the ICO has already been informed, and that its website remains fully operational and totally safe to use.

Today, the FatFace staff got informed about the breach, and for them, the situation is a tad bit worse. According to a leaked internal memo that Forbes obtained, the company informed its employees that their bank details, including sort codes and account numbers, have been compromised. In addition to this, the infiltrators could have stolen the staff’s National Insurance numbers, home addresses, phone numbers, and partial payment card information.

In both cases, FatFace is planning to offer a 12-month membership on Experian Identity Plus, helping staff and customers stay protected against identity theft or banking fraud attempts. In any case, if you see any signs of trouble, make sure to report them to your bank immediately before things get out of control.

Indeed, FatFace hasn’t handled this incident properly, endangered its customers for over two months, and ultimately had the audacity to ask them to keep the breach a secret. This is not how things work today, and the backlash they got from following this approach should be a lesson to everyone. Cyber-attacks happen, firms are constantly bombarded by malicious actors, so if something bad occurs, you’d better take responsibility and inform everyone immediately.