In yet another reminder that all businesses are nowadays data businesses, UK high street clothing retailer FatFace has found itself this week at the centre of a storm of criticism over its handling of a data breach.

Reports of the breach began to emerge on Tuesday after the company emailed customers warning that their personal data may have been accessed by “an unauthorised third party”. The email specified that this information included names, addresses, email addresses and the last four digits of credit card numbers, plus the expiration dates.

FatFace went on to tell its customers that the “payment card information cannot be misused for fraudulent transactions, so you do not need to cancel your payment card on this basis,” and added that the company noticed signs of trouble on 17 January. FatFace subsequently called in outside cybersecurity investigators, who determined that the breach had begun that month. In line with the UK General Data Protection Regulation (GDPR), the incident has been notified to the Information Commissioner’s Office (ICO), the UK data cops, who will examine the case and FatFace’s handling of it.

The retailer has already attracted a storm of criticism, however, as the notification emails to customers were headed: “Strictly private and confidential”, which was widely interpreted as an attempt to keep the breach quiet.

Jake Moore, cybersecurity specialist at ESET, commented:

“Astonishingly, it took FatFace over two months to inform customers about this breach. What makes this even worse is that FatFace attempted to keep this information private. It can be extremely damaging trying to bury a breach – far worse than being honest upfront and admitting it at the earliest opportunity.”

“Our teams have worked nonstop with third-party experts to contain the incident, get our systems operational and minimise the impact,” said FatFace in a statement. “Our systems are secure. We are now operating as normal, and FatFace remains a safe place to shop online or in-store (when shops reopen)”.

Queried on the incident, the ICO stated: “FatFace has made us aware of an incident and we are making inquiries.”

FatFace sells clothing online and, in normal times, through its network of more than 200 bricks-and-mortar shops. The shops are mostly in the UK and Ireland with some in the US. The shops are closed at present due to Covid-19 lockdown restrictions, which have hit high street retailers hard over the past year.

Last September FatFace changed hands in a debt-for-equity swap in which creditors Lloyds and Goldman Sachs received ownership of the business from its previous owner, private equity firm Bridgepoint. Bridgepoint had acquired the company from Advent International in 2007, according to GlobalData market intelligence.


Read more: Verkada security breach: a case of pervasive surveillance and scarcity of robust IoT security framework