FatFace would like everyone to keep its data breach “strictly private and confidential”

Keep it close to your chest, ok?

FatFace would like everyone to keep its data breach "strictly private and confidential"

British fashion retailer FatFace has been hacked.

Whoops! I said it. Sorry.

I’m not sure FatFace wanted anyone to talk about it, so maybe I shouldn’t have mentioned it.

Because its email notification to breached customers stars like this:

Fatface email

“Strictly private and confidential”

Let’s read a little further:

Fatface email 2

“Please do keep this email and the information included within it strictly private and confidential.”

What a shame FatFace hadn’t been quite so cautious about the privacy and confidentiality of its customers, eh?

An unspecified number of them have had their names, email addresses, address details, and partial payment card details (last four digits and expiry date) compromised.

FatFace discovered suspicious activity on its network on January 7 2021, and says it quickly put things right.

However, it has taken FatFace over two months to tell its affected customers.

Sign up to our free newsletter.
Security news, advice, and tips.

FatFace tries to explain away the delay by saying it has taken time to “clearly identify who was (and was not) involved in this incident and to identify precisely what information was involved”.

“This identification effort was comprehensive and coordinated by our external security experts; it therefore took time to thoroughly analyse and categorise the data to ensure we can provide the most accurate informtion possible.”

This is the reason FatFace gives for not raising the alarm earlier. This is the reason why people who continued to shop on FatFace’s website after the hack was discovered, were not informed that there had been a security breach. It’s definitely not because FatFace was worried that it might put some people off shopping with them.

Well, never mind. I’m sure other potential customers will be comforted by the thought that FatFace wanted customers who had had their pesonal details stolen by hackers to keep it secret, and not talk about it to anyone.

FatFace says in the email that it would rather no-one talked about that “FatFace is a safe place to shop, both in store (when we can reopen our shops) and online.”

Unsurprisingly, some customers have taken their disappointment with the way FatFace has communicated the hack public, posting on social media.

But yeah, FatFace would rather if you just took it to a private DM instead…

Fatface tweet

Further reading: FatFace pays out $2 million to Conti ransomware gang


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

4 comments on “FatFace would like everyone to keep its data breach “strictly private and confidential””

  1. Alex Neff

    Sadly, this playbook may play out positively for them. Their consumer base is desensitized to "your information has been hacked" e-mails at this point that by making it seem its a low-key event it may fall under the radar. The average person does not read this blog, and something like this should be a scandal. Unfortunately, these days it is par for the course.

  2. SW

    Or – by telling people the message is 'private and confidential' they may be trying a bit of reverse psychology. Get people angry about this and they'll talk about the brand even more (especially when told not to).

  3. I

    This isn't accurate information, some of it is. Get the facts right first

    1. Jim · in reply to I

      Which information is inaccurate?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.