Fast fashion cyber fraud

  • Case Study
  • Case Study

  • Cyberrisques

  • 2019

It wasn’t a global fashion retailer's trendy outfits a cyber attacker was interested in – it was skimming the financial details of over 100,000 customers. With more than 100 markets impacted, Clyde & Co’s rapid central coordination helped cut the problem down to a size zero.

Problem

Even online retailers get cyber security wrong. And when there is an attack the danger of the entire business being paralysed is much higher than old fashioned bricks-and-mortar companies. When this happened to a popular online clothing brand fast fashion came to a grinding halt.

The fashion house, which has a global following, discovered that an attacker had gained access to its systems and stolen a vast amount of customer data (including banking details). In total, it affected over 100,000 customers in over 100 countries across Asia Pacific, the Americas and Europe, Middle East and Africa. 
 

Online clothing brand

Even online retailers get cyber security wrong

Customer details

An attacker had gained access to their system and stolen a vast amount of customer data (including banking details)

Global breach

With a total impact of over 100,000 customers in over 100 countries

Rapid response

When cyber-attacks happen it's our goal to resolve them quickly and mitigate the business interruption as much as possible

Solution

With the breach discovered and actual financial harm being caused to a number of customers (through credit cards being skimmed), the company quickly shut down part of its ecommerce platform. Clyde & Co was then brought in to coordinate a global response, working closely with national regulators, as well as identifying all liabilities. It also rapidly notified all affected individuals, so that further misuse of information could be minimized.

The cyber team instructed forensic IT consultants to go into the system and review the incident. These experts were able to trace the signs of malware being present and could determine the extent of data that had likely been taken. 

In a parallel process the team worked simultaneously with regulators in over 25 jurisdictions. And although based outside Europe, as it targeted customers in the EU, the company was also subject to the Global Data Protection Regime (GDPR). 

Outcome

The global Clyde & Co team was able to deliver a multi-jurisdictional response, including the timely (within 72 hours) notification of the 28 states that make up the EU.

Helen Bourne, Partner

Helen Bourne, who leads Clyde & Co’s cyber team in the UK, says “We also dealt with the company’s process and payment partners, and other key stakeholders, including its private equity backers.”

The team helped to coordinate a comprehensive response that embraced the whole business, from board level to customer service team, impacted individuals and even the retailer’s owners. With the breach now closed and the system protected, the company was soon able to fully reopen for business.

“When cyber-attacks happen it’s our goal to resolve them quickly and mitigate the business interruption as much as possible,” concludes Helen. “Also, by responding rapidly and transparently in meeting the client’s regulatory obligations we also minimize the instances of subsequent regulatory investigations."

Key Contacts

Helen Bourne
Helen Bourne

Partner

Garrett Moore
Garrett Moore

Partner

Dr. Henning Schaloske
Dr. Henning Schaloske

Partner

David Méheut
David Méheut

Associé

Nathalie David
Nathalie David

Associée

Related Client Case Studies