British clothes retailer Fatface has infuriated some customers by telling them “an unauthorised third party” gained access to systems holding their data earlier this year, and then asking them to keep news of the blunder to themselves.
Several people wrote into The Register to let us know about the personal data leak, with reader Terry saying: “You will notice the Fatface email is marked as confidential. This annoyed me.”
Chief exec Liz Evans wrote in an email titled “Strictly private and confidential – Notice of security incident” sent to users yesterday:
Please do keep this email and the information included within it strictly private and confidential.
On 17 January 2021, FatFace identified some suspicious activity within its IT systems. We immediately launched an investigation… [and] determined that an unauthorised third party had gained access to certain systems operated by us during a limited period of time earlier the same month….
Some of your personal data may have been involved in the incident. This could include some or all of the below listed categories of information relating to you.
- First name and surname.
- Email address.
- Address details.
- Partial payment card information by way of the last 4 digits and expiry date.
Please rest assured that full payment card information was not compromised. We have been working with the relevant authorities and external security experts to ensure a comprehensive response to the incident. In addition, we have notified the Information Commissioner’s Office in the UK and other law enforcement authorities of this incident.
We have taken various additional steps to further strengthen the security of our systems. Please rest assured that our systems are secure, our website remains fully operational and FatFace is a safe place to shop, both in store (when we can reopen our shops) and online.
Quite reasonably, customers quickly took to social media to ask where they could find “a public statement on your data breach,” why it had waited so long to inform customers, why the mail was marked “confidential” and whether it was genuine. All were directed to kindly “DM” the firm’s social media handler.
It also noted that it would be giving recipients “access to a complimentary Experian Identity Plus membership… purely out of an abundance of caution and not because we consider your data specifically to be at risk.”
It did not detail how many people had been affected. The firm has “200 stores across the UK and Ireland” – doing particularly well in seaside areas – and offers international shipping, although its website currently says this is unavailable.
I guess they don’t have to notify anyone now that the UK is out of the EU and doesn’t have to conform to GDPR rules…