Save content
Have you found this content useful? Use the button above to save it to your profile.
istock_Roger Utting Photography

FatFace pays $2m ransom after data breach hush up


Retailer FatFace has paid $2m to the Conti ransomware gang after asking customers to keep quiet about its data breach – two whole months after the event occurred.

8th Apr 2021
Save content
Have you found this content useful? Use the button above to save it to your profile.

British retailer FatFace informed affected customers of a data breach that occurred two months earlier by marking the email “Strictly private and confidential”, in a bid to keep the breach quiet.

On 17 January, FatFace discovered ‘suspicious activity’ within its IT systems, which it says it immediately set about to investigate and secure. However, it wasn’t until 23 March when FatFace alerted customers of the breach.

According to the retailer, an undisclosed number of customers had their personal data compromised, including names, email addresses, address details and partial payment card details, ie the last four digits and expiry date.


The email came labelled as private and confidential, giving the impression that the retailer wished to hush up the breach, meaning customers continued to shop via its website after the breach was discovered.

However, FatFace contested that it wanted to avoid losing customers, stating, “This identification effort was comprehensive and coordinated by our external security experts; it therefore took time to thoroughly analyse and categorise the data to ensure we can provide the most accurate information possible.”

Unfortunately, this had the Streisand effect of creating extra press by aggravating customers further. Following the breach details with “Please do keep this email and the information included within it strictly private and confidential” only exacerbated the irony of requesting secrecy after customers’ data had been violated. Many users took to social media to share their frustration:

Journalist Mathew J. Schwartz asked Britain's Information Commissioner's Office, which enforces the General Data Protection Regulation in the UK, if labelling a data breach notification ‘strictly private and confidential’ is acceptable, the privacy watchdog, would only confirm that it was “making inquiries” about the breach.

FatFace pays $2m ransom to Conti ransomware gang

According to Computer Weekly, FatFace entered into negotiations with the Conti ransomware syndicate soon after discovering the breach.

213 Bitcoin ($8m) is believed to have originally been demanded by the Conti cybercriminals as the criminals appear to have thought that would have been covered by the retailer’s ransomware insurance.

Computer Weekly provides a snip of the negotiation between FatFace and Conti:

Computer Weekly
Computer Weekly

A Conti representative disclosed that it first hacked FatFace via a phishing attack on 10 January, which allowed them to gain admin access to FatFace’s network.

Conti extracted 200GB of data from fatFace’s network before encrypting the system with ransomware on 17 January. FatFace ended up paying $2m to the ransomware gang after explaining its reduced revenues due to the pandemic.

Most surprising is that Conti reportedly offered advice to FatFace on how to improve its security after the ransom was paid.


Replies (1)

Please login or register to join the discussion.

By Paul Crowley
14th Apr 2021 14:13

Not really much of a breach
Name address and email easily obtained
Last four not really that much use, and are printed on paper receipts all the time.

Thanks (0)