British fashion retailer FatFace has been hacked.
Whoops! I said it. Sorry.
I’m not sure FatFace wanted anyone to talk about it, so maybe I shouldn’t have mentioned it.
Because its email notification to breached customers stars like this:
“Strictly private and confidential”
Let’s read a little further:
“Please do keep this email and the information included within it strictly private and confidential.”
What a shame FatFace hadn’t been quite so cautious about the privacy and confidentiality of its customers, eh?
An unspecified number of them have had their names, email addresses, address details, and partial payment card details (last four digits and expiry date) compromised.
FatFace discovered suspicious activity on its network on January 7 2021, and says it quickly put things right.
However, it has taken FatFace over two months to tell its affected customers.
FatFace tries to explain away the delay by saying it has taken time to “clearly identify who was (and was not) involved in this incident and to identify precisely what information was involved”.
“This identification effort was comprehensive and coordinated by our external security experts; it therefore took time to thoroughly analyse and categorise the data to ensure we can provide the most accurate informtion possible.”
This is the reason FatFace gives for not raising the alarm earlier. This is the reason why people who continued to shop on FatFace’s website after the hack was discovered, were not informed that there had been a security breach. It’s definitely not because FatFace was worried that it might put some people off shopping with them.
Well, never mind. I’m sure other potential customers will be comforted by the thought that FatFace wanted customers who had had their pesonal details stolen by hackers to keep it secret, and not talk about it to anyone.
FatFace says in the email that it would rather no-one talked about that “FatFace is a safe place to shop, both in store (when we can reopen our shops) and online.”
Unsurprisingly, some customers have taken their disappointment with the way FatFace has communicated the hack public, posting on social media.
But yeah, FatFace would rather if you just took it to a private DM instead…
Further reading: FatFace pays out $2 million to Conti ransomware gang
Sadly, this playbook may play out positively for them. Their consumer base is desensitized to "your information has been hacked" e-mails at this point that by making it seem its a low-key event it may fall under the radar. The average person does not read this blog, and something like this should be a scandal. Unfortunately, these days it is par for the course.
Or – by telling people the message is 'private and confidential' they may be trying a bit of reverse psychology. Get people angry about this and they'll talk about the brand even more (especially when told not to).
This isn't accurate information, some of it is. Get the facts right first
Which information is inaccurate?