Incident & Breach Response , Security Operations

35.5 Million Customers Affected by Apparel Maker VF's Breach

Owner of Such Brands as North Face and Vans Says Business Mostly Back to Normal
35.5 Million Customers Affected by Apparel Maker VF's Breach
The North Face parent VF Corp. said hackers had stolen data pertaining to 35.5 million customers. (Image: Shutterstock)

Skateboarding shoe and outdoor apparel maker VF Corp. said data pertaining to 35.5 million customers appears to have been stolen in a recent data breach.

See Also: The Six Key Requirements of Multicloud Security

The Colorado maker of apparel and footwear brands including Vans, Supreme, The North Face and Timberland told investors Thursday that its data breach estimate is based on a "preliminary analysis."

VF said its "investigation and remediation efforts remain ongoing" following unauthorized access to its systems the company first detected on Dec. 13.

The company said it believes it ejected the hacker from its systems on Dec. 15. Before then, the hacker stole data and successfully encrypted some IT systems, the company said. VF didn't detail what data was stolen but said it doesn't collect or retain any customers' Social Security numbers, bank account details or payment card information.

As a result of the attack, VF said, it shut down some systems, disrupting some operations. Impacts it cited included "interrupted replenishment of retail store inventory and delayed order fulfillment which had impacts such as the cancellation by customers and consumers of some product orders, reduced demand on certain of its brands' e-commerce sites, and delay of some wholesale shipments."

The Denver company earned $11.6 billion in revenue last year and owns 12 brands, including JanSport backpacks and Dickies rugged wear.

The company said all retail stores remained open following the attack. It also warned online customers of delivery delays.

Timberland's website read after the breach: "Apologies, logistical disruptions are impacting delivery dates." A similar message appeared on the checkout page of the Vans website: "Apologies, due to a logistical disruption, the estimated delivery dates shown in the checkout process are incorrect. You will be notified by email when your item ships and can then track it with the shipper."

VF on Thursday reported that although it is "still experiencing minor residual impacts" from the attack and has yet to fully restore all systems, it "has resumed retail store inventory replenishment and product order fulfillment, and is caught up on fulfilling orders that were delayed as a result of the cyber incident."

VF first announced the cybersecurity breach on Dec. 18, the same day the U.S. Securities and Exchange Commission's new mandate for large and medium-sized publicly traded companies took effect, requiring that they disclose "material cybersecurity incidents" within four business days of determining materiality. Small businesses have until mid-June before they must comply with the rule (see: SEC Votes to Require Material Incident Disclosure in 4 Days).

While VF initially reported that the breach was having a material impact on its business, it said that has ended. In its Thursday report to investors, the company said that since it mostly remediated the attack, "the impacts of the cyber incident are not material and are not reasonably likely to be material to its financial condition and results of operations."

The company said at least some incident response and remediation costs should be recouped via its cyber insurance coverage. "The timing and amount of any such reimbursements is not known at this time."

On Friday, VF's share price was down about 20% compared to 32 days prior, when it first announced the data breach.

With reporting from Information Security Media Group's Mihir Bagwe in Mumbai, India

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.