Employees of British fashion retailer FatFace were told that their bank details may have been stolen in a hack that the company suffered in January.
FatFace wrote to customers yesterday telling them that their personal information may have been compromised in cyber attacks on his systems. The company begged customers to keep the details of the attack “strictly private and confidential” – a move that retaliated when several angry customers posted on social media complaining that it took them two months to notify them of the attack.
However, it has now become clear that the customers were not the only people affected by the attack. A former FatFace employee – who asked not to be named – forwarded me an email from the company saying the personal data of the staff was also compromised in the attack.
Of concern to those employees who include, personal information that FatFace believes may be compromised includes bank details of staff members, including sorting codes and account numbers.
Other staff information that may have been stolen includes national insurance numbers, contact information (including home address) and limited payment card information.
Risk of identity theft
In an email to staff and former staff, FatFace insists that stolen limited payment card information “cannot be misused for fraudulent transactions, so you don’t have to cancel your payment card on this basis.” However, security experts warn affected staff to contact their bank.
“Staff must now be extremely vigilant and familiarize their banks with this new undisclosed information,” said Jake Moore, a cybersecurity expert at security firm ESET.
“They should remain on high alert for fraud and identity theft, as this is the next step that threat actors will no doubt take. Inevitably, phishing email addresses may appear that require additional details in the near future, if not already. The biggest problem here is the delay in which the affected are informed. “
Against the measure
Like customers affected by security breaches, FatFace offers affected staff a free 12-month membership to Experian Identity Plus, so they can monitor their accounts for potential signs of identity theft.
However, questions will again be asked why it took the company two months to notify both staff and customers of the attack.
In an email sent to both staff and customers, the delay company blames the time it took “external security experts” to “thoroughly analyze and categorize the data to ensure we provide the most accurate information possible.”
Moore says it would be better for the company to clean up sooner. “Companies need to understand that accepting unavoidable violations will actually strengthen their brand. It is much more harmful to bury violations these days. “
FatFace says he reported the breach to the British Information Commissioner and “other law enforcement agencies”.
He contacted FatFace for comment, but emails sent to the company came back.