FatFace cyber-attack put employee bank and NI details at risk

A cyber-attack against the high street clothing retailer FatFace in January also put the bank details and National Insurance numbers of current and former employees at risk, This is Money can reveal.

The chain came under fire from customers yesterday after it took two months to inform them personal details including their name, email and physical addresses had been put at risk in a ‘sophisticated criminal attack’.

However, we have discovered that employees of the retailer were told in a similar email yesterday that their bank account number, sort code and National Insurance number could have been accessed by unauthorised third parties in January.

This includes those who have been made redundant in the pandemic, including one ex-employee let go last summer who had an email telling them they’d had their bank details compromised in an extra kick in the teeth.  

For sale, your details: FatFace admitted to employees on Wednesday their account number, sort code and National Insurance number could have been harvested by data thieves

The attack would put them at a significant risk of identity theft or even allow data thieves to set up direct debits to steal money from compromised accounts.

FatFace failed to publicly disclose this on Wednesday when news of the breach came to light, saying in a statement only that ‘some employment related information’ had been accessed by third parties.

This is Money has asked the retailer, which has more than 200 UK stores, how many staff had this information put at risk and why it felt it was not necessary to mention this yesterday.

It said in a statement it was contacting ‘a select number of employees, former employees and customers and providing appropriate guidance and support.’

The email from chief executive Liz Evans to a former member of staff was subject lined ‘strictly private and confidential’, the same as the message sent to customers, and asked the recipient to ‘keep this email and the information included within it strictly private and confidential.’

It told the recipient: ‘We are contacting you as one of our valued former employees to let you know about a recent security incident which involved some of our systems, including those that potentially held some information about you.’

Like the email sent to customers reported by This is Money yesterday it said the retailer had ‘identified some suspicious activity within its IT systems’ on 17 January. 

After an investigation, Evans said an ‘unauthorised third party had gained access to certain systems operated by us during a limited period of time earlier the same month.’

As well as the incredibly sensitive information, staff also had other personal details including names, addresses and partial payment information put at risk as a result of the cyber-attack, if they had bought items from the retailer, which specialises in outdoor wear.

Some customers on Twitter rounded on the company over the leak of their data and the fact it did not tell them for two months afterwards

Some customers on Twitter rounded on the company over the leak of their data and the fact it did not tell them for two months afterwards 

Those who received the email from FatFace were told ‘to remain vigilant to everyday phishing attempts including any risk of identity theft and fraud’, check bank and card statements regularly and keep an eye on their credit files for any evidence that accounts had been opened by identity thieves in their name.

Affected shoppers were also offered a free 12-month subscription to the credit reference agency Experian’s ‘Identity Plus’ service.

The services allows subscribers to have access to their credit report at any time for free and alerts them to any changes which are made to their report or if their details have been found on the ‘dark web’, where they could be sold on by criminals.

But customers rounded on the chain for not telling them about the leak of their personal data sooner. 

The Information Commissioner’s Office confirmed it had been notified, and under data protection rules firms should report a breach to it within 72 hours of becoming aware of it.

The retailer also received a raft of negative Trustpilot reviews when news of the cyber-attack became public

The retailer also received a raft of negative Trustpilot reviews when news of the cyber-attack became public

However, affected customers and staff have only been told their name, address, bank details and National Insurance number could have been harvested by criminals two months later.

One, Nicola Middleton, tweeted on Wednesday: ‘As a long-running FatFace fan I am hugely disappointed at their mishandling of the January 2021 data breach.

‘Not only was the email appallingly written, but their Twitter responses are clearly scripted copy and paste jobs – so unfriendly.’

Another, Moira, tweeted: ‘It’s a bit rich that FatFace wait two months to inform their “valued customers” of a serious data breach and tell us to keep the email and information included in it strictly private and confidential.’

There also seems to be little pattern to who has been affected, with shoppers who placed orders with it as recently as last December and as long ago as 26 months ago receiving the email on Wednesday.

This is Money also counted six one-star reviews left on the website Trustpilot on Wednesday, with customers complaining about their data being put at risk and the time taken to inform them about it.

FatFace said in a statement: ‘We have been undertaking a thorough investigation into events with the assistance of numerous third-party experts. 

‘We wanted to get as much clarity on events and the data concerned before providing those involved with details of what has happened to ensure we knew what data may have been involved so we could support them properly. 

‘With incidents such as these it is important (and takes time) to get this right. We also notified the Information Commissioner’s Office, police authorities (via Action Fraud) and the National Cyber Security Centre of the incident.’

We have also contacted the ICO to ask when companies should inform customers about data breaches.

Some links in this article may be affiliate links. If you click on them we may earn a small commission. That helps us fund This Is Money, and keep it free to use. We do not write articles to promote products. We do not allow any commercial relationship to affect our editorial independence.