Cyber Incident Victim: FatFace
Date:
Jan 2021
Location:
United Kingdom
Summary
A British clothing retailer suffered a ransomware attack following a phishing compromise of an internal workstation, leading to unauthorized network access and lateral movement by threat actors. The attackers exfiltrated over 200GB of customer data including names, contact details, and partial payment card information, subsequently demanding an $8.5 million ransom that was negotiated down to $2 million. The company faced public criticism for instructing breach notification recipients to maintain confidentiality about the incident. The attackers provided recommendations for improving network security post-compromise, and the victim engaged law enforcement and data protection authorities following the attack.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The FatFace ransomware attack began on January 10, 2021, when threat actors compromised an internal workstation through a phishing attack. The attackers subsequently escalated privileges to gain administrative rights, enabling lateral movement across FatFace’s network. During this reconnaissance phase, they identified critical infrastructure components including cybersecurity installations, Veeam backup servers, and Nimble storage systems. The ransomware payload was deployed on January 17, 2021, resulting in the exfiltration of over 200GB of data. Security researcher Valéry Marchive uncovered a ransom note confirming negotiations between FatFace and the Conti ransomware gang, who initially demanded $8.5 million. After negotiations, FatFace paid $2 million to obtain a decryption key and secure a promise from the attackers not to leak stolen data. The Conti group provided FatFace with a post-incident report recommending security improvements such as enhanced email filtering, phishing awareness training, stricter Active Directory password policies, EDR implementation, and offline backup strategies.
The breach exposed customer names, email addresses, physical mailing addresses, and partial credit card information consisting of the last four digits and expiration dates. FatFace notified affected customers via email in March 2021 but drew significant criticism for including a confidentiality clause instructing recipients to keep the breach "strictly private and confidential." This unusual request sparked widespread backlash on social media platforms like Twitter. The company confirmed the ransomware attack to ComputerWeekly, stating it had reported the incident to law enforcement and the UK Information Commissioner’s Office (ICO). No further technical details about containment measures or system restoration timelines were disclosed in the available source material. The incident highlighted both operational vulnerabilities to initial phishing compromises and subsequent challenges in crisis communication management following data theft.