British clothing retailer FatFace is facing a mounting storm of criticism for its handling of a “sophisticated criminal attack” which led to the compromise of customers’ personal data (PII).
In an email to customers posted by HaveIGotPwned? founder Troy Hunt this week, the firm revealed that the breached data included customers’ full names, email and home addresses and partial card details (last four digits and CVV).
“On January 17, 2021 FatFace identified some suspicious activity within its IT systems,” the email noted.
“We immediately launched an investigation with the assistance of experienced security professionals who, following thorough investigation, determined that an unauthorized third party had gained access to certain systems operated by us during a limited period of time earlier the same month. FatFace quickly contained the incident and started the process of reviewing and categorizing the data potentially involved in the incident.”
However, the firm has come in for criticism from security experts and customers for its handling of the incident.
Despite claiming in the email that its focus was on “customer care and regulatory requirements, including the UK and EU General Data Protection Regulation,” some reacted angrily on Twitter that it had taken over two months to notify customers.
It’s unclear when the privacy regulator was informed of the incident, but under the GDPR it must happen within 72 hours of discovery of a breach.
FatFace claimed in the email that it had taken this long to notify as it was trying to provide “the most accurate information possible” on what had been taken and who was affected.
Customers were also angry that the email, signed by CEO Liz Evans, did not offer a formal apology for the incident, but instead requested that the recipient “keep this email and the information included within it strictly private and confidential.”
Hunt described the missive as “misleading.” For example, although the notice says there’s no financial risk to customers from the compromise of partial card details, such data is often used for identity verification, he noted.
“It feels like a lot of emphasizing their security posture even in the face of breach and downplaying the severity of the incident followed by an acknowledgement that identity theft protection would be a good idea. I’d give it a 5/10 for quality disclosure notice,” he said on Twitter.
“Oh, and the subject of the disclosure email was ‘Strictly private and confidential - Notice of security incident’ - why? It contained no PII other than the recipient’s address, why is a notice of a breach ‘strictly private and confidential?’ That’s really odd.”