FatFace would like everyone to keep its data breach “strictly private and confidential”

Keep it close to your chest, ok?

Graham Cluley
@gcluley

British fashion retailer FatFace has been hacked.

Whoops! I said it. Sorry.

I’m not sure FatFace wanted anyone to talk about it, so maybe I shouldn’t have mentioned it.

Because its email notification to breached customers stars like this:

“Strictly private and confidential”

Let’s read a little further:

“Please do keep this email and the information included within it strictly private and confidential.”

What a shame FatFace hadn’t been quite so cautious about the privacy and confidentiality of its customers, eh?

An unspecified number of them have had their names, email addresses, address details, and partial payment card details (last four digits and expiry date) compromised.

FatFace discovered suspicious activity on its network on January 7 2021, and says it quickly put things right.

However, it has taken FatFace over two months to tell its affected customers.

Sign up to our newsletter
Security news, advice, and tips.

FatFace tries to explain away the delay by saying it has taken time to “clearly identify who was (and was not) involved in this incident and to identify precisely what information was involved”.

“This identification effort was comprehensive and coordinated by our external security experts; it therefore took time to thoroughly analyse and categorise the data to ensure we can provide the most accurate informtion possible.”

This is the reason FatFace gives for not raising the alarm earlier. This is the reason why people who continued to shop on FatFace’s website after the hack was discovered, were not informed that there had been a security breach. It’s definitely not because FatFace was worried that it might put some people off shopping with them.

Well, never mind. I’m sure other potential customers will be comforted by the thought that FatFace wanted customers who had had their pesonal details stolen by hackers to keep it secret, and not talk about it to anyone.

FatFace says in the email that it would rather no-one talked about that “FatFace is a safe place to shop, both in store (when we can reopen our shops) and online.”

Unsurprisingly, some customers have taken their disappointment with the way FatFace has communicated the hack public, posting on social media.

But yeah, FatFace would rather if you just took it to a private DM instead…

Further reading: FatFace pays out $2 million to Conti ransomware gang

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

4 comments on “FatFace would like everyone to keep its data breach “strictly private and confidential””

  1. Sadly, this playbook may play out positively for them. Their consumer base is desensitized to "your information has been hacked" e-mails at this point that by making it seem its a low-key event it may fall under the radar. The average person does not read this blog, and something like this should be a scandal. Unfortunately, these days it is par for the course.

  2. Or – by telling people the message is 'private and confidential' they may be trying a bit of reverse psychology. Get people angry about this and they'll talk about the brand even more (especially when told not to).

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.