FatFace customers warned following major cyberattack

representational image of a cloud firewall
(Image credit: Pixabay)

UK clothing retailer FatFace has warned customers that their card details may have been exposed after the company was hit by a cyberattack.

In an email to customers, the firm said it had, 'identified some suspicious activity within its IT systems' on January 17, and following further investigation, had confirmed an attack on its systems.

This had led to fears that customer payment information such as card details may have been breached and stolen, with other personal data also thought to have been affected.

TechRadar needs yo...

We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.

>> Click here to start the survey in a new window<<

"Strictly private"

In the email to customers entitled "Strictly private and confidential - Notice of security incident", FatFace chief executive Liz Evans said that an, "unauthorised third party had gained access to certain systems operated by us during a limited period of time earlier the same month."

Along with payment card details, the affected data is thought to include first and surnames, email and physical addresses - with fears that customers will be targeted by criminals using phishing emails that look to steal the victim's identity.

Evans did note that the company didn't think full payment information has been stolen, saying that customers would not need to cancel their cards or worry about any other financial data being involved.

FatFace's response to the attack has already come under fire from many in the security industry, who have questioned the time it took for the company to alert customers - as well as the fact it tried to hide the details. 

Evans' email asked customers to, "keep this email and the information included within it strictly private and confidential", with recipients offered a free 12-month subscription to the credit reference agency Experian's 'Identity Plus' service in case of any attempts to sell on their personal data.

“Astonishingly, it took FatFace over 2 months to inform customers about this breach, which may have led to an increased risk of identity theft or targeted phishing emails," said Jake Moore, Cybersecurity Specialist at ESET.

"What makes this even worse is that FatFace attempted to keep this information private - even after the breach was disclosed to their customers - attempting to keep it limited to only those affected knowing about it. It can be extremely damaging trying to bury a breach – far worse than being honest up front and admitting it at the earliest opportunity. Breaches are inevitable and we can all learn from them, so it is vital we start to share best practice and discuss how systems are compromised among our peers.”  

Evans added that FatFace had, "have taken various additional steps to further strengthen the security of our systems."

"Please rest assured that our systems are secure, our website remains fully operational and FatFace is a safe place to shop, both in store (when we can reopen our shops) and online."

The Information Commissioner's Office (ICO) said it had received notification of the breach from FatFace, adding that, "Fatface has made us aware of an incident and we are making enquiries."

Via ThisIsMoney

Mike Moore
Deputy Editor, TechRadar Pro

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.