Culture

FatFace really, really hopes you haven't heard about its data breach

The company waited more than two months to alert customers to the breach. Then it asked them to keep the incident quiet.

RUSHDEN, UNITED KINGDOM - 2020/07/07: Fatface store seen at Rushden Lakes complex. (Photo by Keith Mayhew/SOPA Images/LightRocket via Getty Images)
SOPA Images/LightRocket/Getty Images

British clothing chain FatFace (yes, that’s really what it’s called) suffered a data breach of undisclosed size on January 17, 2021. The company hopes you haven’t heard about it yet. In fact, FatFace didn’t even alert customers whose data had been compromised until just this week, more than two full months after the fact. And then it asked those customers to keep the incident hush-hush.

In an email that went out to those “valued” customers on March 24, FatFace wrote that the incident has since been resolved and that “full payment information was not compromised.” It seems that the hacker in question was able to retrieve customers’ names, email addresses, physical addresses, and the last four digits of their credit card numbers.

“We immediately launched an investigation with the assistance of experienced security specialists who, following thorough investigation, determined that an unauthorized third party had gained access to certain systems operated by us during a limited period of time earlier the same month,” the letter says.

The extent of the hack isn’t clear from FatFace’s letter, full copies of which are now readily available all over the internet. The emailed statement doesn’t make much about the incident clear at all — save for the fact that FatFace is embarrassed about it.

Rude and also illegal — Anyone who’s been on the wrong end of a data breach knows it’s not exactly good news to receive. Still, it’s important for companies to notify customers as soon as possible so they can ensure their information isn’t being used by a hacker.

FatFace makes it clear in its email that it didn’t take long at all for the company to be made aware of the data breach. A full investigation had been conducted by the end of January. And yet FatFace chose to wait until the middle of March to alert customers to the issue.

This is actually illegal in the U.K., where FatFace is based, according to TechCrunch. U.K.-based companies must disclose any data breaches with 72 hours of becoming aware of the incident.

Transparency is key — As if hiding this breach for months weren’t irresponsible enough, FatFace took this one step further by asking customers to stay quiet about the incident. “Please do keep this email and the information included within it strictly private and confidential,” the letter implores recipients.

Customers are understandably upset about this request. The FatFace Twitter account is full of customers voicing their anger. The company is replying to each complaint asking customers DM it their concerns — in essence asking them once again to keep the matter private.

No one likes getting hacked. But letting customers know as soon as possible is really the only way to deal with these incidents. Anything less than complete transparency is bad form... and bad business.

TechCrunch reports that a similar letter was sent to current and former employees, with largely similar text. The staff email, however, noted that bank account information and National Insurance numbers (the U.K.’s version of social security numbers) may have been compromised. That’s another worrying omission. Perhaps it's time consumers gave FatFace a wide berth.