FatFace Sends Controversial Data Breach Email After Ransomware Attack

British clothing brand FatFace has sent a controversial ‘confidential’ data breach notification to customers after suffering a ransomware attack earlier this year.

This week, customers began receiving data breach notifications revealing that the popular lifestyle clothing brand, FatFace, had suffered a data breach after a cyberattack on January 17th, 2021.

Data breach at @FatFace. It feels a bit… misleading:

“Our systems are fully secure and FatFace remains a safe place to shop online or in person” – except for the data breach they just had! pic.twitter.com/3SjHmwwh7P

— Troy Hunt (@troyhunt) March 23, 2021

According to the notification, threat actors gained access to FatFace’s network and systems and accessed customer data. This data customers’ names, email addresses, mailing addresses, and partial credit card information (last four digits and expiration date).

Also Read: PDPA Compliance Singapore: 10 Areas To Work On

What was controversial about the data breach notification is that it told recipients to “Please do keep this email and the information included within it strictly private and confidential.”

BleepingComputer has covered many data breaches. We have never seen a company asking a user to keep a data breach confidential and likely has no power to make that request.

As you can imagine, this single sentence led to quite an uproar on Twitter, with users baffled that the notification would include that type of language.

Oh, and the subject of the disclosure email was “Strictly private and confidential – Notice of security incident” – why? It contained no PII other than the recipient’s address, why is a notice of a breach “strictly private and confidential”? That’s really odd.

— Troy Hunt (@troyhunt) March 23, 2021

While many felt that FatFace was trying to keep the data breach under wraps, it turns out there was much more to the story.

Data breach caused by a ransomware attack

According to Computer Weekly, the data breach was caused by a Conti ransomware attack in January 2021.

A ransom note found by Valéry Marchive of ComputerWeekly’s sister-publication LeMargIT allowed the publication to review a ransom negotiation between FatFace and the ransomware gang.

As is common in today’s ransomware attacks, the threat actors reviewed the victim’s financial data before deploying the ransomware. This review provided insight into the company’s finances, including FatFace’s cyber insurance coverage, which the threat actors brought up during the negotiations.

While Conti originally asked for $8.5 million, the negotiations ultimately led to a payment of $2 million to gain access to a decryption key and a promise not to leak the 200GB of stolen data.

The threat actors stated that they gained access to an internal FatFace workstation via a phishing attack on January 10th, 2021, where they then spread laterally through the network.

“From there, the team was able to obtain general administrative rights and began to move laterally through the network, identifying the retailer’s cyber security installations, Veeam backup servers and Nimble storage. The ransomware attack itself was executed on 17 January and saw more than 200GB of data exfiltrated,” Computerweekly reported.

The Conti gang also provided the victim with a report on how to better protect their network, including email filtering, phishing awareness tests, better Active Directory password policies, EDR technology, and an offline backup strategy.

Also Read: What Does A Data Protection Officer Do? 5 Main Things

When contacted by ComputerWeekly, FatFace confirmed the ransomware attack and said they reported it to law enforcement and the Information Commissioner’s Office (ICO).

“FatFace was unfortunately subject to a ransomware attack which caused significant damage to our infrastructure.” -FatFace.