Clothes retailer Fatface: Someone's broken in and accessed your personal data, including partial card payment details... Don't tell anyone

'Strictly private and confidential'? SERIOUSLY?

Updated British clothes retailer Fatface has infuriated some customers by telling them "an unauthorised third party" gained access to systems holding their data earlier this year, and then asking them to keep news of the blunder to themselves.

Several people wrote into The Register to let us know about the personal data leak, with reader Terry saying: "You will notice the Fatface email is marked as confidential. This annoyed me."

Chief exec Liz Evans wrote in an email titled "Strictly private and confidential – Notice of security incident" sent to users yesterday:

Please do keep this email and the information included within it strictly private and confidential.

What happened?

On 17 January 2021, FatFace identified some suspicious activity within its IT systems. We immediately launched an investigation... [and] determined that an unauthorised third party had gained access to certain systems operated by us during a limited period of time earlier the same month....

Some of your personal data may have been involved in the incident. This could include some or all of the below listed categories of information relating to you.

  • First name and surname.
  • Email address.
  • Address details.
  • Partial payment card information by way of the last 4 digits and expiry date.

Please rest assured that full payment card information was not compromised. We have been working with the relevant authorities and external security experts to ensure a comprehensive response to the incident. In addition, we have notified the Information Commissioner’s Office in the UK and other law enforcement authorities of this incident.

We have taken various additional steps to further strengthen the security of our systems. Please rest assured that our systems are secure, our website remains fully operational and FatFace is a safe place to shop, both in store (when we can reopen our shops) and online.

Quite reasonably, customers quickly took to social media to ask where they could find "a public statement on your data breach," why it had waited so long to inform customers, why the mail was marked "confidential" and whether it was genuine. All were directed to kindly "DM" the firm's social media handler.

It also noted that it would be giving recipients "access to a complimentary Experian Identity Plus membership... purely out of an abundance of caution and not because we consider your data specifically to be at risk."

It did not detail how many people had been affected. The firm has "200 stores across the UK and Ireland" – doing particularly well in seaside areas – and offers international shipping, although its website currently says this is unavailable.

According to its most recent financials filed at Companies House, full accounts for the 52 weeks up to 30 May 2020 [PDF], the Group's revenue dropped to £198.2m from £236.4m in 2019, but noted that its online business had "doubled in the last five years."

Fatface obtained refinancing last year to reduce its debts and said it had "seen the benefits of the staycation trend in our local market towns and holiday destination stores."

Also in the document, the org said it had firewalls in place and that it made "regular checks... on the security of our systems" and was "implementing Multi-Factor authentication (MFA)," which would be in place by 2020/21.

It also said: "We have commenced a programme of work to upgrade some of our older applications with a modern, cloud-based application with Phase 1 completed and a further phase scheduled for 2021," adding that the "Group has also commenced a core system replacement project which will happen over the next 2 years. Phase 1 has been approved and delivery is underway."

We have asked Fatface how far along it is with this project. We also asked about the extent of the breach as well as its decision to ask customers whose data had potentially been accessed to keep their mouths shut about it.

Exam hall full of desks

NCC Group admits its training data was leaked online after folders full of CREST pentest certification exam notes posted to GitHub


Ironically, Fatface itself also noted in the financial results document that any "failure to react appropriately in the event of breach... could result in financial penalties or reputational damage."

Neil Brown, a tech-savvy lawyer who runs, told us: "An organisation, which may have failed to keep its customers’ information private, asking those very customers to keep Fatface’s information private? The irony.

"It’s not something I have seen before, and it’s unlikely to enamour Fatface to those whose information has been — or may have been — compromised."

UK data watchdog the Information Commissioner's Office (ICO) told The Register: "People have the right to expect that organisations will handle their personal information securely and responsibly.

"When a data incident happens, we would expect an organisation to consider whether it is appropriate to contact those affected, and to consider whether there are steps that can be taken to protect them from any potential adverse effects.

"Fatface has made us aware of an incident and we are making enquiries." ®

Updated to add

French publication LeMagIT reports that FatFace paid a $2m ransom, negotiated down from about $8m, to the Conti ransomware gang, which broke into the retailer's network in January, siphoned 200GB, and scrambled its files.

Similar topics

Other stories you might like

  • Twitter founder Dorsey beats hasty retweet from the board
    As shareholders sue the social network amid Elon Musk's takeover attempt

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading
  • Amazon investors nuke proposed ethics overhaul and say yes to $212m CEO pay
    Workplace safety, labor organizing, sustainability and, um, wage 'fairness' all struck down in vote

    Amazon CEO Andy Jassy's first shareholder meeting was a rousing success for Amazon leadership and Jassy's bank account. But for activist investors intent on making Amazon more open and transparent, it was nothing short of a disaster.

    While actual voting results haven't been released yet, Amazon general counsel David Zapolsky told Reuters that stock owners voted down fifteen shareholder resolutions addressing topics including workplace safety, labor organizing, sustainability, and pay fairness. Amazon's board recommended voting no on all of the proposals.

    Jassy and the board scored additional victories in the form of shareholder approval for board appointments, executive compensation and a 20-for-1 stock split. Jassy's executive compensation package, which is tied to Amazon stock price and mostly delivered as stock awards over a multi-year period, was $212 million in 2021. 

    Continue reading

Biting the hand that feeds IT © 1998–2022