Personal data belonging to 35.5 million customers of popular apparel brands was exposed in a December data breach, though the exact nature of the stolen data remains unclear.
The befelled company, VF Corporation, is a 125-year-old, $6 billion dollar clothing conglomerate based out of Denver. Popular brands under its umbrella include Dickies, JanSport, North Face, Supreme, Timberland, Vans, and more.
Per annual cybercrime tradition, VF discovered it had been breached during the leadup to the holiday shopping season, on Dec. 13. Aside from disruptions to its business operations, personal data belonging to more than 35 million of its customers was siphoned off, according to an 8-K/A filing with the US Securities and Exchange Commission (SEC), updated yesterday.
VF Data Breach: What We Know
After first discovering the incident, VF reported having to shut down some of its IT systems. Doing so caused disruptions to certain operations, including delays to inventory replenishment, shipments, and order fulfillment. As a result, demand for certain affected brands’ websites slowed, and some customers canceled orders.
The company kicked the cyberattackers out of its systems on Dec. 15. The 8-K/A does not specify the nature of the attack nor the perpetrators but, in its Dark Web blog last month, AlphV/BlackCat claimed responsibility, which may mean ransomware and extortion were involved.
Even now, more than a month on, the company “is still experiencing minor residual impacts from the cyber incident,” according to the 8-K/A, though it has “substantially restored the IT systems and data that were impacted,” and resumed as normal with inventory and orders.
What VF Retail Customer Data Was Stolen?
VF did not disclose on Thursday what customer information was stolen from its IT systems and noted that its investigation is ongoing.
It did, however, highlight certain data that wasn’t stolen. There’s no evidence yet to suggest that customers’ account passwords were taken, and the company does not store Social Security numbers, bank account details, or credit card numbers in its IT systems.
“By disclosing what wasn’t taken, VF is providing a certain level of assurance to the SEC and their investors that several types of highly sensitive [personally identifiable information] PII were not among the 35 million records,” says Padraic O’Reilly, co-founder and chief innovation officer for CyberSaint.
However, he adds, “based on this, we can assume that customer names, addresses, demographic and purchase information might be in play. 8-Ks are usually staged as investigations progress, so this is a stay-tuned situation.”