North Face, Timberland parent says breach affected 35 million customers
VF Corp. says a December cybersecurity incident resulted in approximately 35.5 million individual consumers having personal data stolen.
In December 2023, the parent company of The North Face, Timberland and Vans publicly acknowledged that on Dec. 13, 2023, it detected “unauthorized occurrences” on a portion of its IT systems. In a new Form 8 K/A filing with the Securities and Exchange Commission, VF Corp. reported that it does not collect or retain any consumer social security numbers, bank account information or payment card information as part of its e-commerce operation.
While the investigation remains ongoing, VF says it has not detected any evidence that any consumer passwords were acquired by the intruder. Upon detecting the unauthorized occurrences, VF Corp. said it immediately began taking steps to contain, assess and remediate the incident, including beginning an investigation with external cybersecurity experts, activating its incident response plan, shutting down some systems and cooperating with federal law enforcement.
In its latest SEC filing, VF Corp. also reported that as a result of the measures it took as part of ongoing investigative and remediation efforts, the unauthorized intruder was ejected from its IT systems on Dec. 15, 2023. VF has notified, is cooperating with, and will continue to cooperate with and notify, federal law enforcement and the relevant regulatory authorities as required under applicable law.
While the company says its retail stores, e-commerce sites and distribution centers are now operating with “minimal issues,” but that when in initially shut down some of its systems, it experienced disruption to some operations.
According to VF Corp., these include interrupted replenishment of retail store inventory and delayed order fulfillment, which produced impacts such some cancelled product orders, reduced demand on some of its brand’s e-commerce sites, and delay of some wholesale shipments.
Now, the company said it is still experiencing some “minor residual impacts” from the cyber incident, but has resumed retail store inventory replenishment and product order fulfillment and is caught up on fulfilling orders that were delayed as a result of the breach. VF Corp. also said it has “substantially restored” the IT systems and data that were impacted by the cyberattack but continues to work through “minor operational impacts.”
VF Corp. will seek reimbursement of costs, expenses and losses stemming from the breach by submitting claims to its cybersecurity insurers. The company said it does not currently know when it would receive reimbursement, or how much; and has not publicly specified which of its banners were affected by the cyberattack.