British Clothing Retailer Fat Face Discloses Data BreachEmployee and Customer Information Compromised in January Attack; ICO Investigating
British clothing and accessories retailer Fat Face is notifying customers that it has suffered a data breach.
"Fat Face was recently subject to an IT incident and became aware that some of our systems were accessed by an unauthorized third party," the Hampshire, England-based company says in a statement provided to Information Security Media Group. "Unfortunately, following expert investigation, we now understand that this third party was able to access personal data of some of our employees and customers."
The organization says that some employee and customer information was exposed, including names, addresses, email addresses and the last four digits of credit card numbers, plus the expiration dates.
In an email to affected customers, the retailer says that the "payment card information cannot be misused for fraudulent transactions, so you do not need to cancel your payment card on this basis," and also notes that "no other financial data relating to you was involved in this incident."
Fat Face says it discovered the breach on Jan. 17 and brought in third-party investigators, who found that the breach had begun that month. Subsequently, the company began reviewing what types of information might have been exposed.
"We have now completed our review and are contacting you because your information may have been included in the affected systems and we want to provide you with as much information as possible to assist you," the company says in its email to affected customers.
Fat Face declined to identify how many customers or employees were affected or to provide additional details about how the breach occurred.
UK Base of Operations
Founded in 1988, Fat Face sells via e-commerce and at 200 retail stores across the U.K. and Ireland, as well as some in the U.S. Based on the retailer's breach notification, exposed data only appears to affect customers in the U.K. and Ireland.
"Our teams have worked nonstop with third-party experts to contain the incident, get our systems operational and minimize the impact. Our systems are secure. We are now operating as normal, and Fat Face remains a safe place to shop online or in-store (when shops reopen)," the company says.
Most of Fat Face's stores remain temporarily closed due to U.K. government retail restrictions as the COVID-19 pandemic continues. The British government has imposed multiple lockdowns because the overall coronavirus infection levels remain high.
Last September, Fat Face restructured its business using a debt-for-equity swap, in which financial creditors receive equity in the business in return for reducing or canceling any debt it owes. Ownership of Fat Face changed hands from the private equity firm Bridgepoint - owner of the retailer since 2007 - to creditors Lloyds Banking Group and Goldman Sachs.
Email Notification: 'Strictly Private and Confidential'
In its customer notification, Fat Face says it had security defenses in place designed to protect customer data. But in what is by now an old and overused breach notification cliche, the retailer blamed its failure to protect customers' data on it having been the victim of a "sophisticated criminal attack."
Unusually, the Fat Face email alert to affected customers carries this subject line: "Strictly private and confidential - notice of security incident."
Now that data breaches involving the exposure of customers' personal details are a matter of public record, at least in countries that must comply with the General Data Protection Regulation, surely the security incident would very much not be private or confidential?
"The notification email was marked private and confidential due to the nature of the communication, which was intended for the individual concerned," a spokesman tells ISMG. "Given its contents, we wanted to make this clear, which is why we marked it private and confidential."
The retailer says it is directly notifying via email only affected customers. "Anyone who has not received an email can rest assured that they are not required to take any specific steps in response to the incident at this time," it says.
All affected customers are being offered a prepaid 12-month subscription to an identity theft service from Experian, which monitors individuals' financial records and sounds an alert if suspicious activity occurs.
Fat Face tells customers it is offering this "purely out of an abundance of caution and not because we consider your data specifically to be at risk, and to help you to monitor your personal information for certain signs of potential identity theft."
Privacy Watchdog Investigating
The retailer says it's notified Britain's Information Commissioner's Office about the breach. The ICO, which enforces the U.K.'s data privacy and protection laws - including GDPR - says it's investigating.
"People have the right to expect that organizations will handle their personal information securely and responsibly," an ICO spokeswoman tells ISMG. "When a data incident happens, we would expect an organization to consider whether it is appropriate to contact those affected, and to consider whether there are steps that can be taken to protect them from any potential adverse effects. Fat Face has made us aware of an incident and we are making inquiries."