VF Corporation Data Breach Incident
Updated by Keith Kirkland
High-Level Summary of the Security Advisory
VF Corporation, based in Denver, Colorado, is a global apparel and footwear company owning brands such as VANS, Supreme, and The North Face.
In a January 18, 2024, Form 8-K filing with the Securities and Exchange Commission (SEC), VF Corporation revealed that the hackers stole the personal information of approximately 35.5 million individual consumers.
According to the Form 8-K filing by VF Corporation, on December 13, 2023, the company detected unauthorized access to a portion of its information technology (IT) systems. The company immediately began taking measures to remediate the attack and launched an investigation, activating its incident response plan, and shutting down some systems. VF Corporation believes that the threat actor was ejected from their IT systems on December 15, 2023.
As of January 18, 2024, VF Corporation operated retail stores, brand e-commerce sites, and distribution centers were operating with minimal issues. Following the system shutdown, the company faced disruptions, impacting operations such as retail inventory replenishment and delayed order fulfillment. VF Corporation has substantially recovered the IT systems and data affected by the cyber incident. However, the company is still addressing minor operational impacts.
VF Corporation does not store consumer social security numbers, bank account details, or payment card information within its IT systems as part of its direct-to-consumer practices. As the investigation continues, there is no evidence suggesting the threat actor obtained consumer passwords.
VF has informed and is actively collaborating with federal law enforcement and relevant regulatory authorities, ensuring continuous cooperation in compliance with applicable laws.
Should I be concerned?
Maybe. It depends on if you have a relationship with VF Corporation or any of the impacted business partners or customers. Click on the link below to find out if you have a relationship with VF Corporation or any business partners or customer vendors. If you do, follow the recommendations below.
Note: this link specifically references vendor directory records. You may also want to search your Relationship List for the names (eg. VF Corp, Vans, Supreme, The North Face, etc.) to confirm.
What to do if you or your vendors have an active relationship with VF Corporation
As of January 18, VF Corporation, amidst the ongoing investigation, asserts that while there may still be some minor residual impacts, the major disruptions outlined have been addressed. The Form 8-K filing states that VF Corporation holds the belief that the impacts of the cyber incident are not deemed material and are not reasonably likely to significantly affect its financial condition and operational results.
VF Corporation intends to seek reimbursement for costs, expenses, and losses incurred from the cyber incident by filing claims with its cybersecurity insurers. The exact timing and amount of potential reimbursements remain unknown at this juncture.
We recommend that you promptly reach out to the VF Corporation or its subsidiary brands (such as VANS, Supreme, etc.) and conduct a thorough investigation to assess any potential impact of the incident. Subsequently, implement the requisite remedial actions.
--------------------------------------------------------------
We are actively working on future product enhancements related to these types of events. If you found this information helpful or have additional feedback please let us know at product@visotrust.com.
For any additional questions, please reach out to your customer success manager.
Stay ahead of the curve with our Public Risk Notice Alerts!
Get the latest information and news to your inbox on cybersecurity breaches and third-party vendor risks that could impact your organization.
Sign up today to fortify your organization's security.
The VISO TRUST team
—----------—----------—-----