Vans parent confirms data breach

Thirty five million people affected

Vans parent confirms data breach

VF Corp, the parent Company of apparel brands Vans, Supreme and The North Face, has revealed that a cyber incident last month led to a data breach, compromising personal data belonging to around 35.5 million customers.

The announcement was made through an 8-K/A filing with the US Securities and Exchange Commission (SEC) on Thursday.

VF Corp did not disclose the exact nature of the stolen information, citing an ongoing investigation. However, it said there is no evidence to suggest the theft of customer account passwords.

The company also clarified that it does not store sensitive information such as social security numbers, bank account details or payment card information within its IT systems.

The disclosure filings don't mention any compromised data related to staff, business partners or other stakeholders - only customers.

Breach before the break

The 125-year-old retail giant detected the breach on 13th December, just ahead of the Christmas shopping season.

The company initially reported disruptions in fulfilling orders, affecting its ability to replenish retail store inventory.

Following the discovery of the breach, the company moved to shut down some IT systems, which inevitably disrupted various business operations.

The consequences extended to affected brands' websites, causing a slowdown in demand and customer order cancellations.

It took two days for VF Corp to remove the attackers from its systems, which it successfully did on 15th December.

The company reported "substantial" progress in restoring its systems and data.

"Since the filing of the original report, VF has substantially restored the IT systems and data that were impacted by the cyber incident, but continues to work through minor operational impacts," it said in the filing.

VF Corp does not anticipate a significant impact on its financials.

While the attack is suspected to have involved ransomware, VF Corp has not officially confirmed this aspect.

The initial disclosure mentioned parts of its IT systems being encrypted, and the AlphV/BlackCat gang claimed responsibility for the attack days after its disclosure.

The company's wording in its latest filings, referring to "unauthorised occurrences" and data theft, leaves room for speculation about the involvement of ransomware. Such care is a common practice to avoid explicitly acknowledging ransomware incidents.