Cyber Incident Victim: French Connection
Date:
Jun 2021
Location:
United Kingdom
Summary
A ransomware attack linked to the REvil gang compromised the back-end systems of fashion retailer French Connection, exfiltrating sensitive internal data including executive passport and identification card scans. The company confirmed the breach, suspended affected systems immediately upon discovery, and initiated manual restoration processes while maintaining normal operations. Stolen information, typically sold on dark web markets by such groups, included personal documents of senior leadership but did not involve customer data. The organization reported the incident to relevant authorities, though it declined to disclose whether ransom demands were made.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around June 24, 2021, French Connection (FCUK), a UK-based fashion retailer, experienced a ransomware attack affecting its internal back-end servers controlling corporate systems and operations. Attackers linked to the REvil ransomware gang exploited a security vulnerability to infiltrate these systems and exfiltrate sensitive internal data. The stolen information included scanned copies of passports and identification cards belonging to senior executives, such as founder and CEO Stephen Marks, CFO Lee Williams, and COO Neil Williams. The attackers provided these documents as proof-of-breach to substantiate their claims. French Connection confirmed the incident was an organized cyberattack but clarified that customer data remained uncompromised throughout the breach.
Upon discovering the intrusion, French Connection immediately suspended affected systems to contain the incident and initiated restoration efforts using manual processes to maintain business operations. The company emphasized that retail trading continued normally despite the disruption to back-end infrastructure. While French Connection did not disclose whether a ransom was demanded or paid, it reported the breach to relevant authorities, including the UK Information Commissioner’s Office (ICO). The attackers’ affiliation with REvil suggests the stolen data was likely intended for sale on dark web markets, consistent with the gang’s operational patterns. No further technical details regarding the initial attack vector, data volume, or full scope of compromised systems were publicly disclosed by the company.