FatFace pays $2m ransom after data breach hush up

British retailer FatFace informed affected customers of a data breach that occurred two months earlier by marking the email “Strictly private and confidential”, in a bid to keep the breach quiet.

On 17 January, FatFace discovered ‘suspicious activity’ within its IT systems, which it says it immediately set about to investigate and secure. However, it wasn’t until 23 March when FatFace alerted customers of the breach.

According to the retailer, an undisclosed number of customers had their personal data compromised, including names, email addresses, address details and partial payment card details, ie the last four digits and expiry date.

The email came labelled as private and confidential, giving the impression that the retailer wished to hush up the breach, meaning customers continued to shop via its website after the breach was discovered.

However, FatFace contested that it wanted to avoid losing customers, stating, “This identification effort was comprehensive and coordinated by our external security experts; it therefore took time to thoroughly analyse and categorise the data to ensure we can provide the most accurate information possible.”

Unfortunately, this had the Streisand effect of creating extra press by aggravating customers further. Following the breach details with “Please do keep this email and the information included within it strictly private and confidential” only exacerbated the irony of requesting secrecy after customers’ data had been violated. Many users took to social media to share their frustration:

The irony: we lost your data, don't tell anyone please

— Matt Burgess (@mattburgess1) March 23, 2021

Journalist Mathew J. Schwartz asked Britain's Information Commissioner's Office, which enforces the General Data Protection Regulation in the UK, if labelling a data breach notification ‘strictly private and confidential’ is acceptable, the privacy watchdog, would only confirm that it was “making inquiries” about the breach.

Shame on @FatFace for taking 2 months to tell us about a data breach

Happened on 17/01/21

Data involved

•First name and surname.
•Email address.
•Address details.
•Partial payment card information

cc @jimconey @ICOnews

Tell customers sooner when data is breached

— CheapAccounting.co.uk expert - Elaine Clark (@cheapaccounting) March 23, 2021

FatFace pays $2m ransom to Conti ransomware gang

According to Computer Weekly, FatFace entered into negotiations with the Conti ransomware syndicate soon after discovering the breach.

213 Bitcoin ($8m) is believed to have originally been demanded by the Conti cybercriminals as the criminals appear to have thought that would have been covered by the retailer’s ransomware insurance.

Computer Weekly provides a snip of the negotiation between FatFace and Conti:

Computer Weekly

A Conti representative disclosed that it first hacked FatFace via a phishing attack on 10 January, which allowed them to gain admin access to FatFace’s network.

Conti extracted 200GB of data from fatFace’s network before encrypting the system with ransomware on 17 January. FatFace ended up paying $2m to the ransomware gang after explaining its reduced revenues due to the pandemic.

Most surprising is that Conti reportedly offered advice to FatFace on how to improve its security after the ransom was paid.