This week, British fashion retailer FatFace “disclosed” suffering a cyber-attack in January to its customers and employees. It appears that customers, current, and former employees may have been affected. Customers may have had their names, emails, physical addresses, and the last four digits of their credit cards compromised in the breach, according to an email sent by the company.
However, the company asked customers to “keep this email and the information included within it strictly private and confidential.” This prompted an immediate and serious backlash. Customers were deeply upset because the company took two months to inform customers. Additionally, U.K data protection laws demand companies disclose breaches within 72 hours of detection.
Moreover, after the customers received their notification, employees received an email detailing their own exposure in the breach. In addition to the above-listed exposed information, employees also learned their bank details and National Insurance numbers at risk.
The hackers responsible have not yet been identified. FatFace did not state how many employees or customers may have been affected.
To gain a little more perspective on this attack, we spoke to Anurag Kahol, CTO and Cofounder of Bitglass.
“It’s concerning that it took the company over two months to disclose this data breach. The personally identifiable information (PII) and financial details stolen in this incident put those affected at greater risk of financial fraud, identity theft, and even physical danger. Organizations that suffer from a breach must take responsibility and disclose its full impact as soon as possible, rather than wait to do so and try to obfuscate its existence from the public.
While maintaining compliance with privacy regulations should always be a top priority, this incident also highlights the inadequacy of reactive approaches to security. To prevent unauthorized access, organizations must adopt flexible security platforms that provide a wealth of capabilities that proactively detect and respond to threats as they arise. For example, implementing capabilities like step-up multi-factor authentication (MFA), data loss prevention (DLP), and user and entity behavior analytics (UEBA) can give organizations much-needed control over access to their data. In today’s frenetic world, real-time protections are absolutely necessary.”
Thanks to Anurag Kahol. For more, check out the Endpoint Security Buyer’s Guide.
- Endpoint Security Providers: Best of 2023 and Beyond - October 31, 2022
- Best Books for Defending the Digital Perimeter - September 14, 2021
- Apple Vulnerability Places All of Apple iOS at Risk - September 14, 2021