1. Extra Categories
  2. Editor's Pick
March 26, 2021updated 01 Apr 2021 2:46pm

More egg on FatFace face: Retailer paid $2m ransom to cybercriminals

By Lewis Page

Clothing retailer FatFace paid a $2m ransom to the Conti cybercriminal gang during a recent data breach, according to reports.

The breach occurred in January but this only became public knowledge earlier this week when FatFace emailed customers to let them know that their data had been accessed by “an unauthorised third party”. The retailer drew widespread criticism for the lengthy delay in owning up, and for attempting to insist that the affected customers should keep the matter quiet.

Today, French tech publication LeMagIT discovered that the data breach had occurred as part of a ransomware attack on FatFace by the Conti cybercrminal gang. Having encrypted the company’s data, the gang originally demanded a ransom of $8m for its decryption, but were eventually talked down and FatFace paid a $2m ransom in Bitcoin.

The group reduced its demands partly due to FatFace’s bricks-and-mortar shops being shut in lockdown and partly due to some unexplained, irretrievable deletions across FatFace’s digital infrastructure. The Conti negotiator denied that the gang was responsible for this damage, but apparently agreed to cut the ransom demand nonetheless.

Such behaviour is not unusual in a ransomware gang, many of whom prefer to portray themselves as legitimate security consultants. Their penetration of a victim organisation’s networks is typically characterised as a “red team” operation, referring to the legitimate technique in which a team of hired consultants attempt to compromise a client’s systems in order to discover vulnerabilities which need fixing.

The difference between the Conti gang and a legitimate red-team service is, of course, that FatFace didn’t request the gang’s services and agree to pay for them – and an above-board red team would not have needed to encrypt the company’s data in order to extort payment.

The Conti gang is also known for posting stolen data on its “Conti News” website to increase pressure on its victims. Security company Sophos notes that victim organisations with data published on the site are mainly in North America and Western Europe, but a handful are located in other regions. Over a hundred public and private sector organisations working in many different business sectors are listed, with the largest numbers of victims found in retail, manufacturing and construction.

FatFace sells clothing online and, in normal times, through its network of more than 200 bricks-and-mortar shops. The shops are mostly in the UK and Ireland with some in the US. They are closed at present due to Covid-19 lockdown restrictions, which have hit high street retailers hard over the past year.

Last September FatFace changed hands in a debt-for-equity swap in which creditors Lloyds and Goldman Sachs received ownership of the business from its previous owner, private equity firm Bridgepoint. Bridgepoint had acquired the company from Advent International in 2007, according to GlobalData market intelligence.

A FatFace spokesperson told LeMagIT‘s sister publication Computer Weekly:

“FatFace was unfortunately subject to a ransomware attack which caused significant damage to our infrastructure.”

The Information Commissioner’s Office, the UK data regulator, had previously confirmed that it is aware of the case and carrying out an investigation.