Breach, Compliance Management, Data Security, Privacy, Industry Regulations

FatFace disclosure a case study in ‘bungling the process’

A former location of Fat Face, in Putney Exchange, London. The company was a victim to a ransomware attack recently. (Edward Hands/https://creativecommons.org/licenses/by-sa/4.0/deed.en)

U.K.-clothing retailer FatFace has egg on its face after a botched disclosure letter customers and security professionals consider too late, too secretive and too hard to confirm.

The retailer notified customers Wednesday of a "sophisticated criminal attack" they uncovered in January that may have accessed customer data. The letter contained the unusual request to "[p]lease do keep this email and the information included strictly private and confidential" and offered no way to confirm the breach on a company-branded website before calling a helpline set up to provide Experian credit monitoring.

The public response is a learning opportunity for other organizations.

The three elements at play  – waiting two months to alert customers and employees, the request to keep the breach secret and the perhaps-related failure to provide a site to confirm the validity of the breach  – led to consternation with patrons and the security community as a whole.

One customer Tweeted, with an enraged emoji: "Hey @FatFace a data breach two months ago? Email asking to keep it confidential? Provide no way to verify it’s a legitimate email but please call this number, that also can’t be verified, to get free online security checks? A complete lack of understanding of online security!"

Since the disclosure emails were sent out, ComputerWeekly published purported chat logs between FatFace and the Conti ransomware gang negotiating a ransom.

In a statement, FatFace explained the "private and confidential" line as such: "The notification email was marked private and confidential due to the nature of the communication, which was intended for the individual concerned. Given its contents, we wanted to make this clear, which is why we marked it private and confidential."

Larry Parnell, director of the strategic public affairs program at George Washington University, told SC Media a strategy of telling people not to discuss being the victim of a crime would likely only accomplish the opposite.

"The right thing to do, perhaps the difficult thing to do, is as soon as you become aware of the breach to notify the public and your customers. Trying to pretend it didn't happen or ask people not to talk about it, is going to look like a cover-up," he said.

Parnell noted that the brevity of the request to keep things quiet, without providing any reasoning or instruction, would be viewed by customers as suspicious and, frequently, unfollowable. Customers would have to at a minimum discuss the breach when closing accounts or taking other steps to mitigate the theft of the data.

If there was a reason to keep the breach quiet, FatFace may have encouraged more discussion. If the point was just to save corporate face, Parnell said, it would be better to rip the Band-Aid off.

In many instances, particularly in Europe and the U.K., waiting two months to alert customers may come with regulatory consequences. According to U.K.-law, companies have to notify the Information Commissioner's Office within 72 hours of discovering a breach and notify the public as soon as possible. FatFace said they properly notified government agencies and, while not addressing the two-month delay directly, said "the process of reviewing and categorizing the data involved [was] a significant task which has taken considerable time."

The public, said Parnell, is increasingly accustomed to breaches and willing to accept them if notified without what may appear to hem to be subterfuge.

"People are becoming inured to the reality that breaches do happen," Parnell said. "But the difficulty here is, for whatever reason, FatFace is bungling the process of fixing it."

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.