FatFace paid £1.45m ransom to cyber hackers behind January attack

FatFace paid £1.45m ransom to cyber hackers who put customer and employee details at risk in attack triggered by a dodgy email

  • FatFace told shoppers and staff last week their details had been hacked 
  • At-risk information included names, addresses, bank details and NI numbers
  • The attack took place on 17 January and used ransomware to lock its systems
  • FatFace did not deny its systems were accessed as a result of a phishing email 

The ‘sophisticated criminal attack’ against the clothing retailer FatFace which put employees’ bank details and National Insurance numbers and the personal details of customers at risk was caused by a staff member clicking on a dodgy email, it has been reported.

The chain was forced to pay out a £1.45million ransom to hackers after it was hit by a malware attack in mid-January which locked it out of its systems and harvested 200GB of data, Computer Weekly reported.

Hackers initially asked for $8million, around £5.8million, worth of bitcoin, the website said, but the price was talked down after the 200-store chain argued its sales had slumped by as much as 75 per cent due to the coronavirus pandemic shutting its shops.

Ransomware is a type of malware used to deny companies and individuals access to their systems until a ransom is paid or a task carried out in return for stolen data  

The report did not say when the ransom was paid, but the software attack took place on 17 January, the same day FatFace told customers and past and present employees last week it had ‘identified some suspicious activity within its IT systems’.

But Computer Weekly said FatFace’s network had been compromised a week earlier, when hackers ‘entered its network via a phishing attack.’

Ransomware, a type of malware which locks companies and individuals out of their systems until a fee is paid or a quid pro quo carried out, is frequently deployed through phishing emails, according to the National Cyber Security Centre.

‘These emails encourage users to open a malicious file or click on a malicious link that hosts the malware.’

Such emails and text messages have been common throughout the coronavirus pandemic with the general public frequently targeted, although these more often seek to harvest personal and financial details which can be used to steal money or commit identity theft.

The NSCS warned only last week that there had been increased number of ransomware attacks against colleges, schools and universities since late February. The same trend occurred last August and September when schools reopened after the country’s first lockdown.

In those instances, the NCSC said ransomware had led to the loss of coursework and school financial records. However, the January attack on FatFace appeared to be all about data harvesting.

Ransomware is often delivered through phishing emails which invite recipients to click on a link or download a file

Ransomware is often delivered through phishing emails which invite recipients to click on a link or download a file

In an email sent out last Tuesday and reported by This is Money, FatFace chief executive Liz Evans told customers and employees their data had been put at risk after an ‘unauthorised third party had gained access to certain systems’.

It was initially reported personal details including names and physical and email addresses were put at risk by the attack, but we later learned employees’ bank details and National Insurance numbers were accessed in the hack.

FatFace had previously refused to disclose this information publicly, telling This is Money in a statement only that ‘some employment related information’ had been accessed by third parties.

FatFace - which has more than 200 stores nationwide - told customers and staff about their data and the attack in an email last Tuesday

FatFace – which has more than 200 stores nationwide – told customers and staff about their data and the attack in an email last Tuesday

Recipients of the email notifying them about the ransomware attack, sent more than two months after it took place, were also told to keep the information ‘strictly private and confidential’.

The retailer told This is Money it had been ‘undertaking a thorough investigation into events with the assistance of numerous third-party experts’ and ‘wanted to get as much clarity on events and the data concerned before providing those involved with details of what has happened’.

The Information Commissioner’s Office, the police and the NCSC have all been notified of the attack, it added.

FatFace confirmed to This is Money that it had been ‘unfortunately subject to a ransomware attack which caused significant damage to our infrastructure.’

It didn’t deny the ransom pay out.

A spokesperson said: ‘This was a sophisticated attack by an attacker who has successfully targeted a significant number of different organisations.

‘Thanks to a monumental effort from the FatFace team, alongside external security and legal experts, FatFace was able to quickly contain the incident, restore business operations and then undertake the process of reviewing and categorising the data involved – a significant task which has taken considerable time.

‘Our teams have worked tirelessly to minimise disruption to our highly valued customers and fellow employees, and we would like to thank them for their support during this challenging period. 

‘We have taken various steps to protect our systems from any future reoccurrence.

‘Details of the attack and steps taken are part of a criminal investigation so at this stage we are unable to comment any further. 

‘We recognise that ransomware attacks are an issue which more and more organisations are having to grapple with in the current threat landscape.’