FatFace customer details at risk as clothing chain is hit by ‘sophisticated criminal attack’ which leaves shoppers open to identity theft
- Customers were told it had discovered suspicious activity on 17 January
- It send an email out saying names and addresses may have been put at risk
- It was sent to one shopper who bought clothing in October and December
- It warned customers to be vigilant over potential identity theft attempts
High street clothing retailer FatFace has told customers some of their personal and card details could be at risk after its systems were hit by a ‘sophisticated criminal attack’ in January, This is Money can reveal.
In an email to affected customers this morning, chief executive Liz Evans said the retailer had ‘identified some suspicious activity within its IT systems’ on 17 January.
After an investigation, she said an ‘unauthorised third party had gained access to certain systems operated by us during a limited period of time earlier the same month’.
For sale, your details: FatFace admitted to customers this morning personal and partial payment details may have been put at risk in a ‘sophisticated’ cyber attack
Affected customers have been told personal data including first and surnames, email and physical addresses and partial payment card information, the last four digits of a card and its expiry date, could have been put at risk in the cyber raid.
The compromising of personal information could result in those affected becoming more vulnerable to identity theft or lead to them being targeted by phishing emails, but FatFace insisted full payment details had not been put at risk.
Evans said: ‘Therefore, the payment card information cannot be misused for fraudulent transactions, so you do not need to cancel your payment card on this basis. Further, no other financial data relating to you was involved in this incident.’
The email was subject lined: ‘Strictly private and confidential – Notice of security incident’, and asked customers to ‘keep this email and the information included within it strictly private and confidential’.
In it the retailer did not disclose how many customers had been affected, but one customer who placed orders in December and October received the email warning their details were potentially at risk.
Another recipient who spoke to This is Money said they had last ordered from it more than two years ago, while another had made one order ‘roughly a year ago’.
Those who received the email from FatFace were told ‘to remain vigilant to everyday phishing attempts including any risk of identity theft and fraud’, check their bank and card statements regularly and keep an eye on their credit files for any evidence that accounts had been opened by identity thieves in their name.
Affected shoppers were also offered a free 12-month subscription to the credit reference agency Experian’s ‘Identity Plus’ service.
This enables subscribers to have access to their credit report any time for free and alerts them to any changes which are made to their report or if their details have been found on the ‘dark web’, where they could be sold on by criminals.
Other high-profile companies which have seen customers’ details put at risk in the recent past include the airlines British Airways and easyJet, which had the details of 9million customers put at risk in a data breach it made public last May.
The personal details of 9m easyJet customers were put at risk in a data breach last year
Meanwhile in December 2019 This is Money broke the news that a jewellery brand popular with the Duchess of Sussex, Meghan Markle, had been hit in a cyber raid which saw personal and payment details harvested by malicious software.
Liz Evans has run FatFace since 2019 after joining from fellow retailer Oasis and Warehouse, which went into administration in April 2020 and saw its online business snapped up by Boohoo last June.
The chain, which has more than 200 stores across the UK, is well-known for its outerwear, including coats, jumpers, scarves, gloves and boots.
Evans added in the email: ‘We have taken various additional steps to further strengthen the security of our systems.
‘Please rest assured that our systems are secure, our website remains fully operational and FatFace is a safe place to shop, both in store (when we can reopen our shops) and online.’
FatFace told This is Money in a statement that it had contacted ‘a select number of employees, former employees and customers’ and was ‘providing appropriate guidance and support.
‘Anyone who has not received an email can rest assured that they are not required to take any specific steps in response to the incident at this time.’
The Information Commissioner’s Office also confirmed it had received notification of the breach from FatFace.
A spokesperson from the ICO, which has the right to fine companies which put personal data at risk, said: ‘People have the right to expect that organisations will handle their personal information securely and responsibly.
‘When a data incident happens, we would expect an organisation to consider whether it is appropriate to contact those affected, and to consider whether there are steps that can be taken to protect them from any potential adverse effects.
‘Fatface has made us aware of an incident and we are making enquiries.’