FatFace cyber attack: Firm was warned by police nine months earlier

FatFace was warned by police about vulnerabilities within its IT systems which put it more at risk from cyber-criminals nine months before it was hit by a £1.45million ransomware attack in January, This is Money can reveal.

A detective from Hampshire Constabulary contacted the clothing chain, which is headquartered in the county, in April 2020 about it having a vulnerable IP address.

The detective, who is also handling the investigation into the ‘sophisticated criminal attack’ on 17 January after it was reported to Action Fraud, asked to be put in contact with the head of IT over the vulnerability, This is Money understands.

FatFace was contacted by a detective from Hampshire Constabulary (inset) in April 2020 about vulnerabilities within its IT systems 

Cybersecurity experts said an exposed IP address could ‘greatly increase the risk of successful phishing attacks’ against a company like FatFace.

The policeman refused to discuss the ongoing investigation and any events preceding the January attack, and referred us to FatFace’s press office, which did not respond to multiple requests for comment.

The 200-store clothing chain confirmed to This is Money last week it had been hit by a ransomware attack in mid-January which harvested data, including the bank details and National Insurance numbers of current and former employees and the names and addresses of customers.

It did not deny a report from Computer Weekly which said the chain paid out £1.45million to the ransomware attackers and that the attack was caused by a member of staff clicking on a dodgy email.

However, if attackers were able to exploit vulnerabilities within FatFace’s IT systems it could mean a phishing email which would otherwise have been blocked could have gotten through, cybersecurity experts said.

‘When someone has control of an IP address, they can bypass the security measures that are already in place within an organisation’, Jake Moore, a specialist at anti-virus company ESET and a former cyber-crime investigator at Dorset Police, told This is Money.

Jake Moore, a cybersecurity specialist at the anti-virus firm ESET

‘This means it is much easier to install malware on a target’s network, and potentially cause all manner of damage.

‘Usually, cybercriminals try to gain access to a network through phishing emails that originate externally, and are therefore much easier to filter and block. 

‘If an internal IP address, however, is used for this communication, then security protocols can be bypassed – such as those that ensure emails are scanned before they are opened.

‘This greatly increases the risk of successful phishing attacks.’

Every computer connected to a network or the internet has its own IP address, in the same way a house has a physical address. 

They are needed to send information from one device to another, like how a sender would need a postal address to send a parcel.

They can be hidden using a virtual private network and can be discovered through social engineering scams or taking advantage of existing vulnerabilities.

While described as ‘only a cog in the attack machine’, attackers can target individuals and companies if they are aware of their IP address. 

One of the most popular is where a network is overloaded by multiple computers or IP addresses and the internet shut down in what is known as a distributed denial of service attack.

‘Without adequate security, IP addresses can be open for everyone to see – and can therefore be attractive targets for bad actors looking to gain access to internal networks’, Moore said.

The cybersecurity company Kaspersky also noted that cybercriminals could exploit vulnerabilities to ‘get their hands on your files and steal confidential information to sell for blackmail.

FatFace was hit by a ransomware attack which put 200GB of customer and employee data at risk. It was caused by someone clicking on a phishing email

FatFace was hit by a ransomware attack which put 200GB of customer and employee data at risk. It was caused by someone clicking on a phishing email 

‘Attackers can also change your internet access settings, for example, forcing the router to feed you phishing websites where they can pinch your login credentials.’ Phishing emails and websites are also a common way in which criminals deploy ransomware.

But, Moore said, ‘a vulnerable IP address is not an easy problem to fix.’

He added: ‘Being notified of the issue is just the beginning. Anti-malware programmes and other security infrastructures are built to trust internal sources, so it is difficult to quarantine communications from an internal IP address.’

The clothing chain, headquartered in Havant, near Portsmouth, has continued to face criticism from customers for not telling them sooner.

It was hit by the ransomware attack on 17 January and informed the police and the Information Commissioner’s Office but did not tell customers until an email sent on 24 March, which had the subject line ‘strictly private and confidential’.

‘I cannot believe they have sent their customers an email marked private and confidential for a hack that took place in January’, one customer wrote on the review website Trustpilot at the end of last month.

It previously told This is Money it ‘wanted to get as much as clarity on events and the data concerned before providing those involved with details of what had happened’.

Some links in this article may be affiliate links. If you click on them we may earn a small commission. That helps us fund This Is Money, and keep it free to use. We do not write articles to promote products. We do not allow any commercial relationship to affect our editorial independence.