LOGO

FatFace Data Breach: Company Asks Customers for Secrecy

March 25, 2021
Topics:computer securitycomputingcrisis communicationscybercrimedata breachdata securityemailFatFaceInformation technologySecurityUnited Kingdom
FatFace Data Breach: Company Asks Customers for Secrecy

FatFace Data Breach and Confidentiality Request

FatFace, a prominent clothing retailer, recently experienced a data security incident. The company has communicated this breach to its customers, however, with an unusual request for secrecy.

Details of the Breach

The breach was initially detected on January 17th. Unauthorized access was gained to company systems, resulting in the compromise of customer data. This included names, email addresses, postal addresses, and the final four digits of credit card numbers.

FatFace has assured customers that complete credit card details were not accessed during the incident. A thorough investigation, conducted with the aid of cybersecurity experts, confirmed the limited timeframe of the unauthorized access.

The Confidentiality Clause

Notably, the notification email sent to customers included a request to maintain strict privacy regarding its contents. The company asked recipients to keep both the email and its information confidential – a directive that carries no legal weight.

U.K. data protection regulations mandate companies to report breaches within 72 hours of discovery. However, these laws do not impose any obligation on customers to keep breach notifications private.

Public Reaction and Company Response

The request for confidentiality quickly drew criticism from the public. FatFace’s initial response was to direct inquiries to their direct messaging service.

A statement released through communications firm Kekst CNC explained the reasoning behind the confidentiality request. The company stated the email was marked as private due to the sensitive nature of the communication, intended solely for the individual recipient.

The statement was provided without attribution to a specific spokesperson.

Impact on Employees

A similar email was reportedly sent to FatFace staff, including former employees. This communication, obtained by TechCrunch, mirrored the customer notification.

However, the employee email also raised concerns about the potential compromise of bank account details and National Insurance numbers – the U.K.’s equivalent of Social Security numbers.

Scope of the Breach

FatFace has acknowledged that a limited number of employees, former employees, and customers were affected by the data breach.

The company has not disclosed the precise number of individuals impacted by the security incident.