The British clothing label FatFace has issued its customers with a data breach notice after it experienced a ransomware assault at the start of the year. Although the company was attacked on January 17, it has only recently issued its customer base with this information.

An unusual request to data subjects

According to FatFace’s notification, the ransomware operators acquired access to the popular brand’s critical infrastructure enabling them to access data retained on customers. The data hacked included a wide variety of personally identifiable information (PII) such as customer names, postal and email addresses, along with partial details from payment cards, including expiry dates and the four final digits of the credit card numbers.

Notification of exposed customer PII is not uncommon after a data breach, but the unusual inclusion in the missives was a request that recipients kept bot the email and its contents confidential. IT help site BleepingComputer commented that while it has reported on numerous data leaks, it had never witnessed a company making such a request of data subjects and believed it was unlikely that it had the authority to ask this of them.

The request caused a considerable stir on social media with many customers under the impression that the clothing brand was attempting to cover up the incident. However, FatFace had followed proper protocols, and commented that it had reported the attack to both UK data regulators, the Information Commissioner’s Office (ICO) and law enforcements departments.

Dedicated ransomware attack leads to data breach

The data leak exposing FatFace customer’s personal information the result of an attack using CONTI ransomware. A note uncovered by LeMargIT, an associate publication of ComputerWeekly, revealed a ransom negotiation held between the gang behind the attack and FatFace.

Like many contemporary attacks of this nature, the CONTI gang reviewed their victim’s financial details prior to deploying the crypto malware. This data review offered the threat actors insight into the clothing company’s financials, including its policies for cyber insurance – a point raised during the ransom negotiations

The initial ransom demand made by CONTI was $8.5m (£6.17m), but following negotiations this sum was downsized to $2m (£1.45m) in return for a decryption key and the operators promising not to disclose the data stolen, which amounted to over 200 gigabytes.

According to the attackers, access was obtained to one of FatFace’s internal workstations through a phishing attack made on January 10. CONTI then gained general admin rights and spread out laterally across the company’s network, locating FatFace’s Nimble storage, backup servers and cybersecurity installations.

A statement issued by the clothing label commented:

“FatFace was unfortunately subject to a ransomware attack which caused significant damage to our infrastructure.”

Additionally, the gang behind the attack provided FatFace with a detailed report on how it could improve protect levels of its network, including phishing tests to raise staff awareness, email filtering, endpoint detection and response (EDR) technology, enhanced Active Directory (AD) password policies and even a backup strategy offline.