In the penultimate week of March, retail chain Fat Face reportedly sent an email to customers notifying them of a breach that had first been identified in mid-January. Reportedly sent to thousands of affected customers, the email revealed that private data had been accessed by an unauthorised user for a limited period of time. It has also been alleged that customers were told to keep the notification of the Fat Face data breach private, and that the company has allegedly paid a ransom to a cybercrime gang.
These claims have yet to be fully verified, but there are still several issues arising out of the Fat Face data breach. The company’s notification to customers appears to be delayed at best, which raises questions about whether Fat Face followed the correct data breach notification procedures. At this stage, we do not know, and we will need to find out.
In any case, the victims whose private information was exposed could now fall victim to data misuse. If it emerges that Fat Face was at fault, victims may be eligible to make compensation claims, and we are already taking claims forward for this incident.
The Fat Face data breach – what happened?
At the end of March, the Fat Face data breach became public knowledge when a notification email was sent out to thousands of affected customers. It described a breach, initially detected on 17th January, where a hacker is understood to have accessed data including customers’ names, postal addresses and email addresses, as well as the last four digits of their credit cards. According to reports, staff were contacted with a similar email, instead telling them that their bank account details and National Insurance numbers may have been compromised.
Fat Face asserts that they began an investigation immediately in association with cybersecurity specialists, who established that an authorised third-party had gained access to data for short period of time. It is not clear when this conclusion was reached, but it took Fat Face over two months to notify customers that their data had been affected.
Fat Face’s response to the breach
Typically, UK laws require companies to disclose data breaches within 72 hours of the incident occurring, or knowledge of it occurring. Customers faced a long delay before they were notified of the personal information affected in the Fat Face data breach and, on top of this, the company reportedly made the following request to customers:
“keep this email and the information included within it strictly private and confidential”
As specialists in data protection law, we want to reassure those affected that they are still entitled to seek independent legal advice. Your Lawyers – The Data Leak Lawyers – as a leading firm of data breach lawyers, can tell you now that this statement is an unusual one to have been made.
Some reports have alleged that Fat Face paid a $2m ransom to a ransomware gang following the data breach. If this is found to be true, Fat Face may have gone against the standard advice given by cybersecurity experts to now give in to such demands.
Potential compensation claims
The ICO is now investigating the Fat Face data breach, so the allegation of ransom payment may not be proven or disproven until the regulator comes to a conclusion.
Nevertheless, the customers and employees who have had their personal data exposed may likely have been distressed to receive this news. Those affected may be able to claim compensation for the harm caused, so contact us for free, no-obligation advice if Fat Face notified you of your involvement in the breach.
IMPORTANT: advice on this page is intended to be up-to-date for the 'first published date'.
Request a call back from our team
Fill out our quick call back form below and we'll contact you when you're ready to talk to us.
All fields marked with an * are required.
First published by Matthew on April 06, 2021
Posted in the following categories: Claims Cybersecurity Data Employee Data Breach GDPR Group Action Hacking News Latest Ransomware Retail Scammers Security Technology and tagged with compensation | cyber attack | cyber crime | cybersecurity | data breach | data controllers | data leak | database security | employee breaches | gdpr | Group Action | online security | personal data | ransomware