VF Corp., the parent company of popular apparel brands Vans, Supreme, and The North Face, said last week that hackers stole the personal data of 35.5 million customers in a December cyberattack, reports TechCrunch. The filing to regulators didn't say specifically what kinds of personal data was taken, or if the company yet knows what was stolen. VF Corp said it doesn't retain consumer Social Security numbers, bank account information, or payment card information for its consumer businesses, nor does the company have evidence that the hackers stole customer passwords.
VF Corp. previously said the hackers disrupted its operations “by encrypting some IT systems,” implying a ransomware attack. The ransomware and extortion gang known as ALPHV (or BlackCat) later claimed credit for the breach. In its Thursday filing, VF said it's “still experiencing minor residual impacts from the cyber incident,” but that it has caught up on fulfilling orders that were delayed. The company said it “has substantially restored the IT systems and data that were impacted by the cyber incident, but continues to work through minor operational impacts.”
Total Retail's Take: VF Corp. detected the ransomware attack on Dec. 13 amidst the critical holiday season. The incident caused operational disruptions and impacted the company's ability to fulfill orders, but customers were still able to place them online and shop in stores globally. However, the company believes the impact of the cyberattack is unlikely to be material to its financial state. VF Corp. is seeking reimbursement of costs, expenses and losses from its insurers.
VF Corp. disclosed the security incident on the same day that the U.S. Securities and Exchange Commission’s new data breach disclosure rules came into effect. The SEC Incident Disclosure Regulations that went into effect mean that "waiting until a cyberattack is underway to roll out your incident response plan is no longer an option," commented Craig Harber, security evangelist at Open Systems, in an email about the VF Corp. cyberattack to Total Retail. "Companies must have effective cybersecurity plans in place to prevent cyberattacks, minimize the damage they cause, and comply with regulatory requirements to ensure that they're not penalized for noncompliance.”
Kristina Stidham is the digital content director at Total Retail and sister brands Women in Retail Leadership Circle and Women Leading Travel & Hospitality at NAPCO Media. She is passionate about digital media and handles video, podcast and virtual event production for all brands. You can often find her at WIRLC, TR, WLT&H or industry events with her camera and podcasting equipment—or at home on Zoom—recording interviews with thought leaders and business executives.
Kristina holds a B.A. in Media Studies and Production from the Temple University Klein College of Media and Communication in Philadelphia. Go Owls! When she's not in the office, she loves to go on long walks, sing around the house, hangout with her family and two pet guinea pigs, and travel to new places.