FatFace, a UK retail clothing chain, is facing a lot of hot criticism over their handling of a recent data breach. In a notification to customers, they royally botched the situation, and everyone is talking about it.
Last Wednesday, FatFace sent out an email notification to customers alluding to a “sophisticated criminal attack” they experienced in January but then requesting that customers “please do keep this email and the information included strictly private and confidential.” They mentioned that the data breach may have included customer information but provided no way for customers to confirm if their information was included in the data breach. They directed shoppers to contact Experian for free credit monitoring instead. Any personally identifiable information (PII) stolen could be used for identity theft.
In the email, FatFace said after finding suspicious activity on their network,
“We immediately launched an investigation with the assistance of experienced security professionals who, following a thorough investigation, determined that an unauthorized third party had gained access to certain systems operated by us during a limited period of time earlier the same month. FatFace quickly contained the incident and started the process of reviewing and categorizing the data potentially involved in the incident.”
As a follow-up to their email, Troy Hunt, founder of HaveIGotPwned? sent the customers an email informing them that their full names, email addresses, home addresses, and partial credit card information (last four digits and the CVV) were found in the data breach dump.
What the Critics Are Saying
There are three critical faux pas made here that the critics point out as how “not to handle a data breach.”
FatFace claims they are abiding by the EU General Data Protection Regulation rules. However, because the company waited two months before alerting customers of a data breach, Twitter blew up with angry comments from customers last week. During the two months, customers could have protected their accounts and kept an eye on personal information being used for fraud. FatFace should have notified the GDPR within 72 hours after the incident. It is unclear whether or not they did. The company claims they did, but when pressed about why they waited two months to alert customers, they responded with “the process of reviewing and categorizing the data involved [was] a significant task which has taken considerable time.”
Secondly, what angered customers most of all is that not only did the email not include a formal apology, but it then pressured them to keep the incident quiet by requesting they “keep this email and the information included within it strictly private and confidential.” It has the feeling of a cover-up. The email was sparse with details which made customers suspicious, lacking any real information or instructions on what they should do about it.
Another black mark against FatFace is the email subject, which was “Strictly private and confidential - Notice of security incident.” Nothing in the email contained any personal or identifiable information, so why the drama in the message subject?
Having no way to verify the phone number contained in the email customers are expected to call and provide personal information over the phone. The whole thing goes completely against how online security and keeping personal information safe are supposed to work.
Public affairs professionals stress that when you make a statement and then try to hush people up about it, they are probably going to talk more than if you said nothing. The correct way to handle a data breach is not to try and cover it up but to take responsibility, make the announcement, apologize, and do what is necessary to rectify the problems created by the intrusion.
Unfortunately, FatFace handled the incident as poorly as possible, and they are facing a lot of bad press and unhappy customers due to their methods and messaging.