The form of customer and employee information stollen extends to names, addresses, national insurance details, banking references, and the last four digits of credit cards and store cards, according to TechCrunch. The company initially discovered the breach on January 17, 2021. However, they only elected to notify customers and employees two months later. Their reason? The company claimed they were investigating the matter. This may have been the case, but under the U.K. data protection laws, a company must disclose a data breach within 72 hours of becoming aware of an incident
Additionally, FatFace requested the email it sent out be kept private and confidential. This did not last for long and the breach was made public after a former employee reported it.
In addition, FatFace has additionally paid a $2 million (about £1.5 million) ransom to the Conti ransomware gang, following a successful ransomware attack earlier this year.
Looking at the issue for Digital Journal is Anurag Kahol, CTO and Cofounder of Bitglass.
Kahol begins by looking at the reporting delay, noting: “It’s concerning that it took the company over two months to disclose this data breach. The personally identifiable information and financial details stolen in this incident put those affected at greater risk of financial fraud and identity theft. Organizations that suffer from a breach should take responsibility and disclose its full impact as soon as practicable.”
Kahol goes on to look at the security weaknesses: “While maintaining compliance with privacy regulations should always be a top priority, this incident also highlights the inadequacy of reactive approaches to cybersecurity. To prevent unauthorized access, organizations need to adopt flexible security platforms that provide a wealth of capabilities which proactively detect and respond to threats as they arise. For example, implementing capabilities such as step-up multi-factor authentication, data loss prevention, and user and entity behavior analytics can give organizations much needed control over access to their data. In today’s frenetic world, real-time protections are absolutely necessary.”