back to article Clothes retailer Fatface: Someone's broken in and accessed your personal data, including partial card payment details... Don't tell anyone

British clothes retailer Fatface has infuriated some customers by telling them "an unauthorised third party" gained access to systems holding their data earlier this year, and then asking them to keep news of the blunder to themselves. Several people wrote into The Register to let us know about the personal data leak, with …

  1. heyrick Silver badge

    Please do keep this email and the information included within it strictly private and confidential.

    Quickest way ever to get the contents dropped on social media.

    1. My other car WAS an IAV Stryker Silver badge
      Paris Hilton

      Re: Please do keep this email ... strictly private and confidential.

      A pure Streisand moment.

      Icon: closest person/thing ===>>

    2. Michael Wojcik Silver badge

      Re: Please do keep this email and the information included within it strictly private...


      But here's an interesting twist. An organization drafts an email like this one – and note the one shown in the article is fairly long. Pick a dozen words with suitable synonyms and phrases that can be reworded, and make a list of their positions and alternatives. Now you can mechanically generate 212 different email messages that have the same semantic content but are unique.

      Assuming you have fewer than 4096 recipients (find more alternative pairs if you have more), you can take your mailing list, compute a perfect hash, and use the binary representations of those values to select which alternative for each pair to use.

      Now when a message leaks, you can instantly identify the leaker. All you need are the list of alternatives, the list of recipients, and the hash function. (This is not innovative; it's the same approach people used to find "birthday" collisions for digital signatures that used hash functions with too-short images.)

      I doubt Fatface has anyone clever enough to do this sort of thing, but it's entirely possible to trace social-media leaks of "confidential" messages this way.

      1. dave 76

        Re: Please do keep this email and the information included within it strictly private...

        "Now when a message leaks, you can instantly identify the leaker."

        And then what? You sent me an unsolicited email asking me to keep it confidential which I shared. What are you going to do now?

        I never agreed to you catagorising the issue as confidential. The worst you can do is refuse to accept my future business, which I am unlikely to give to you anyway after this fiasco.

  2. Anonymous Coward
    Anonymous Coward

    I don't often read these articles about data breaches.

    They all spout the same utter bollocks about how they do take data security really, really, very really seriously Indeed.

    The only reason I read this article was because I misread the headline shop name as "Fartface". I need more beer I think...

    1. 9Rune5

      Re: I don't often read these articles about data breaches.

      You may have predicted the outcome of their upcoming rebranding exercise.

      If so: Cheers indeed!

    2. Not previously required

      Data breeches from Fatface

      I assumed this was some trendy item of clothing. Perhaps you need them to ride one of those fancy kneeling stools.

  3. Andy Non


    They haven't given the boilerplate PR response that "they take the security of their customer's data very seriously".

    1. Anonymous Coward

      Re: Strange

      @Andy Non.

      You are right. It wasn't only the headline I misread. Join me in a couple of these

    2. TkH11

      Re: Strange

      But they did give the standard bulls..t response about it being a 'sophisticated' criminal attack to try to reduce the criticism levied at them. "Not my fault guv".

      1. Michael Wojcik Silver badge

        Re: Strange

        For organizations like this, anything more complicated than tossing a brick through a window is "sophisticated".

    3. martyn.hare

      At least

      They take the security of their disclosures very seriously!

    4. logicalextreme Silver badge

      Re: Strange

      But "rest assured that [their] systems are secure".

      And even if they're not, then hey, they won't even know about it till later in the month, and you won't know about it till a couple of months later.

  4. Anonymous Coward
    Anonymous Coward

    So a very quick look at the jobs...

    IT Application Support Analyst

    What caught my eye:

    Experience of common data reporting and analysis tools, including SQL Reporting Services (SSRS), Excel with external data connections, and VBA Macros

    Excel and VBA macros... :)

    No jobs advertised for Security Analyst though.

    1. Zippy´s Sausage Factory

      So not only can they not keep the information confidential, they're probably not even reporting on it accurately either*.

      * I'm allowed to say that because I wrote VBA macros for a living for about three years, which makes it self-deprecating humour.

      1. Warm Braw Silver badge

        Whereas self-documenting code is clearly fantastical, self-deprecating code seems eminently plausible, especially if written in VBA.

    2. Potemkine! Silver badge

      Since when VBA macros are related to IT? I thought this pseudo-language were for salespeople only.

      1. Anonymous Coward
        Anonymous Coward

        depends if theyre typing the code directly or just pawing at the record macro button with the mouse.

        you can do anything with vbs. wether you should or not is another thing ...

        1. Michael Wojcik Silver badge

          You can doom anything with VBA.


  5. wolfetone Silver badge

    Fat Face?

    More Red Face now.

    1. Mike 137 Silver badge

      Re: Fat Face?

      "More Red Face now."

      Not for long if past experience shows anything. Even massive data breaches accompanied by fatuous follow-ups (see Equifax, who actually offered their own credit monitoring service after their own data breach) don't seem to hit business for more than a few months, if that.

  6. RM Myers

    Fatface or Fathead

    Considering the quality of the notification email, Fathead might be a better name for their business. Oh well, I'm not a customer, so at least I got a laugh out of the "Strictly Private and Confidential". It reminded me of the "don't tell anyone, but ..." rumor spreading technique pre-social media. When you really, really want people to tell the world, then just tell them it's a secret

    1. logicalextreme Silver badge

      Re: Fatface or Fathead

      Just goes to show that they haven't learned from the breach that they can't keep information private.

  7. Doctor Syntax Silver badge

    Did they do a proper job and send the emails cc to a few hundred customers?

  8. Ken Moorhouse Silver badge

    Do they insult you when you ring them up...

    Hello Fatface,

    How can I help you?

    (Not as bad as that Anchor company though).

    1. Anonymous Coward

      Re: Do they insult you when you ring them up...

      > (Not as bad as that Anchor company though).

      But they're so nice, butter wouldn't melt in their mouths!

  9. Macnot

    Their Helpline is in fact Experian who are unable, it seems, to answer questions despite what it says in the Email. Seems their Call Centre Supervisors can't be bothered to call back either.

    Wonder what Lloyds Bank and Goldman Sachs (current owners of FatFace think of this???

    1. Doctor Syntax Silver badge

      That they're spending too much on security and customer relations.

  10. Phil Kingston

    At some point we're going to need to have a real good look at Experian's involvement in all these.

    1. Doctor Syntax Silver badge

      At some point? Long overdue.

  11. Anonymous Coward
    Anonymous Coward

    Strictly Private and Confidential


    I’ve said too much already.....

  12. Potemkine! Silver badge

    We have commenced a programme of work to upgrade some of our older applications with a modern, cloud-based application with Phase 1 completed and a further phase scheduled for 2021

    So if it's moved to a modern cloud-based set of applications then there's nothing to worry about cybersecurity then

    1. Mr Humbug

      That's not about increasing security, it means "We have begun work on shifting the blame for this sort of thing to someone else"

  13. Anonymous Coward
    Anonymous Coward

    Just wondering...

    "Last 4 digits of card number"

    Is that useful to crims? Yes in that it can be used to build confidence by quoting it in a scam email but to what extent can it be "reverse engineered" given that the first few digits relate to card provider and there's a mod10 check digit.

    1. Michael Wojcik Silver badge

      Re: Just wondering...

      Sometimes it can be combined with other databases to associate the full card number with owner information. Someone will find a use for it.

  14. Blackjack Silver badge

    Multi factor authentication can be quite unsafe

    If it includes the use of SMS, that is quite unsafe and not even used anymore in some countries, like Japan that replaced it with.... e-mail.

  15. Anonymous Coward
    Anonymous Coward

    not enough to just ask

    If you want someone to be compliant with a request you have to say why - because what's necessary obvious to you isn't obvious to the recipient. Even if might be embarrassing to you/the organisation

    eg please keep the door to the staff room closed at all times (because otherwise the aircon goes into overdrive and somehow trips the telephone system)

    please do not use parking spaces at front of offices which are for visitors only (because if they park round the back they'll see the comfortable "employee relaxation area" mentioned on the website is actually five mismatched picnic chairs and a shredded parasol)

    1. Chris G

      Re: not enough to just ask

      "eg please keep the door to the staff room closed at all times (because otherwise the aircon goes into overdrive and somehow trips the telephone system)"

      Sometimes it's not easy to explain, of you apply your example to a school, the teachers don't want the pupils to see them chain smoking, drinking alcohol and scratching their nuts.

      Although in this case it seems clear that Fartface

      was just trying to protect its reputation in the face of an avoidable failure.

  16. Macnot

    The email signed by CEO Evans says they knew about the breach on 17 January. The Directors Report in their accounts filed at Companies House in February is signed by CEO Evans and dated 2 February! No mention of any breach in that report. Oh dear.......!!!!

    Can anything this company says now be trusted? Or should we keep that strictly confidential???

  17. Just a geek

    Yet another 'sophisticated' hack.

    Fatface join the ranks of Easyjey, FireEye, Solarwinds, AWS and sonicwall. All have claimed to have been the victims of "sophisticated" attacks and yet not one single one of them will reveal why the attack was sophisticated instead of the just shitty security. Of course, in the case of solarwinds we know that the breach was anything but sophisticated and yet companies still roll out that trite line along with "we treat your security seriously".

    Pisses me off no end.

  18. Prst. V.Jeltz Silver badge

    "When a data incident happens, we would expect an organisation to consider whether it is appropriate to contact those affected"


    What would be an example of when that is not appropriate?

    1. Michael Wojcik Silver badge

      When they can hush it up instead, obviously.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like