Fashion retailer FatFace has suffered a significant data breach. The privacy violation happened when an unauthorised third party accessed some employee and customer information. Customer names, email addresses, postal addresses and partial card details may have been exposed in the cyberattack.
To make a bad situation worse, FatFace is facing a backlash on social media after the retailer asked customers to keep news of a hack “strictly confidential”. We can only imagine this was a poorly thought-out attempt to protect its brand reputation.
What has FatFace said about the data breach?
In a statement, FatFace said:
“Fat Face was subject to an IT incident and became aware that some of our systems were accessed by an unauthorised third party. Unfortunately, following expert investigation, we now understand that this third party was able to access certain employee and customer related information.
“Following a thorough exercise involving data analysis and categorisation, we are now contacting a select number of employees, former employees and customers and providing appropriate guidance and support. We have also notified the Information Commissioner’s Office, police authorities (via Action Fraud) and the National Cyber Security Centre of the incident. The incident involved some employment related information as well as some customer personal information including partial payment card data belonging to customers (which cannot be used to purchase anything fraudulently on the card, so customers are not required to cancel any cards). We have notified employees, former employees and customers, as appropriate.
“Our teams have worked non-stop with third party experts to contain the incident, get our systems operational and minimise the impact. The responsibility we have to our customers and colleagues is our highest priority and we continue to invest in security measures to mitigate the growing range of risks faced by businesses.”
Why are FatFace customers angry?
As well as being angry that the retailer failed to protect their confidential data, FatFace is facing additional criticism as the breach notification emails sent to customers were headed “strictly private and confidential”. Many customers and data breach experts have interpreted this as an attempt to keep the breach quiet.
What’s more, customers are also rightly asking questions about why they are just being informed about the breach now – when the hack reportedly took place two months ago. If FatFace had informed customers earlier, they could have taken steps to protect their data from further potential misuse.
Following the breach, affected customers and staff have been offered a complimentary 12-month membership of Experian Identity Plus. However, victims of the privacy violation should ensure that accepting this offer does not take away their rights to make a compensation claim if they later decide to do so.