FatFace Faces Customer Anger After Controversial Breach Response

British clothing retailer FatFace is facing a mounting storm of criticism for its handling of a “sophisticated criminal attack” which led to the compromise of customers’ personal data (PII).

In an email to customers posted by HaveIGotPwned? founder Troy Hunt this week, the firm revealed that the breached data included customers’ full names, email and home addresses and partial card details (last four digits and CVV).

“On January 17, 2021 FatFace identified some suspicious activity within its IT systems,” the email noted.

“We immediately launched an investigation with the assistance of experienced security professionals who, following thorough investigation, determined that an unauthorized third party had gained access to certain systems operated by us during a limited period of time earlier the same month. FatFace quickly contained the incident and started the process of reviewing and categorizing the data potentially involved in the incident.”

However, the firm has come in for criticism from security experts and customers for its handling of the incident.

Despite claiming in the email that its focus was on “customer care and regulatory requirements, including the UK and EU General Data Protection Regulation,” some reacted angrily on Twitter that it had taken over two months to notify customers.

It’s unclear when the privacy regulator was informed of the incident, but under the GDPR it must happen within 72 hours of discovery of a breach.

FatFace claimed in the email that it had taken this long to notify as it was trying to provide “the most accurate information possible” on what had been taken and who was affected.

Customers were also angry that the email, signed by CEO Liz Evans, did not offer a formal apology for the in ..

Support the originator by clicking the read the rest link below.