FatFace Pays $2M for Breach, Under Fire for Disclosure Process

United Kingdom-based clothing retailer FatFace suffered a ransomware attack from a malicious threat actor called the Conti ransomware gang. Following this, the company was forced to pay up a whopping $2 million to help unlock its respective systems.

FatFace is a clothing company based in the United Kingdom. It also has an e-commerce website in Britain. Verdict said that it has more than 200 stores in the UK, Ireland, and the United States.

According to Verdict, reports surrounding the data breach started to circulate last Tuesday, March 22, 2021, after the company notified possibly affected customers about the incident in an email.

FatFace Under Fire for Disclosure Process

However, in a controversial move, customers were told to keep the cybersecurity attack a secret. Bleeping Computer said a part of the email read, “Please do keep this email and the information included within it strictly private and confidential.”

In an email, the company notified its customers saying their personal data may have been compromised after “an unauthorised third party” gained access, and subsequently captured, the system.

Based on the information provided in the email, Verdict states that the compromised details include the names of customers, their addresses, and their email addresses. In addition to this, financial information pertaining to the last four digits of their credit card numbers and their corresponding expiration dates are also included in the list.

Bleeping Computer said that the Conti gang gained access to FatFace’s system and network through ransomware. The attack was initially made on the 17th of January this year, taking the clothing retailer around two months prior to disclosing the data breach to its consumers.

A ransom note was supposedly found by Valery Marchive from LeMargIT, the sister publication of Computer Weekly. Marchive found that the attack was first traced to a phishing attack, reveals Bank Info Security, which occurred on January 10, 2021.

The ransom note initially asked for a massive $8.5 million. However, negotiations allowed the clothing retailer to haggle the ransom down to $2 million. Given this, Bleeping Computer said that the Conti gang remained true to its word by providing FatFace access to its decryption key. It also promised to not leak the personal data of customers amounting to 200 gigabytes worth of data.

Following the breach, the delayed disclosure process, and the audacity of FatFace to ask its customers to remain mum about the incident, a barrage of complaints have taken over social media. Some users have taken to showing their disappointment over the social networking site Twitter to air their grievances.

The company has also notified the Information Commissioner’s Office (ICO), as well as relevant authorities, about the cyberattack. As of writing, the company said that its systems have already been secured, especially with the help of third-party security experts.