British Retailer ‘Fat Face’ Suffers Security Breach
The attacker was able to access employees and customers’ personal data, including names, addresses and financial information.
In a statement provided to Information Security Media Group, British lifestyle clothing and accessories retailer Fat Face revealed it suffered a security breach.
Fat Face was recently subject to an IT incident and became aware that some of our systems were accessed by an unauthorized third party. Unfortunately, following expert investigation, we now understand that this third party was able to access personal data of some of our employees and customers.
The company says it discovered the breach on January 17th and brought in third-party investigators, who confirmed the attack had begun that month. Soon after, Fat Face began investigating what types of information might have been exposed.
Some employee and customer information including their names, addresses, email addresses, and the last four digits of their credit card numbers, plus the expiration dates were disclosed.
In an email to affected customers, the retailer stated that the “payment card information cannot be misused for fraudulent transactions, so you do not need to cancel your payment card on this basis,” and also notes that “no other financial data relating to you was involved in this incident.”
In its customer notification, Fat Face assured it had security defenses in place designed to protect customer data, blaming its failure to protect customers’ data on it having been the victim of a “sophisticated criminal attack.”
Surprisingly, the email alert’s subject line was “Strictly private and confidential – notice of security incident.”
Since data breaches involve the exposure of customers’ personal details, they are a matter of public record, especially in countries that must comply with the General Data Protection Regulation. Hence, the security incident is very much not private or confidential.
DataBreachToday Executive Editor Mathew J. Schwartz reported that all affected customers were offered a one-year prepaid subscription to an Experian identity theft service, which monitors individuals’ financial records and alerts them if any suspicious activity occurs.
Fat Face motivated its decision saying it’s “purely out of an abundance of caution and not because we consider your data specifically to be at risk, and to help you to monitor your personal information for certain signs of potential identity theft.”
The company says it has notified Britain’s Information Commissioner’s Office about the breach and they’re currently investigating the incident.