Skip links

Thieves steal 35.5M customers’ data from Vans sneakers maker

VF Corporation, parent company of clothes and footwear brands including Vans and North Face, says 35.5 million customers were impacted in some way when criminals broke into their systems in December.

The announcement was made in a Thursday 8-K/A filing with the Securities and Exchange Commission (SEC), and we’re only left to speculate about what kind of information the attackers may have scrambled away with.

The parent company of fashion labels, which also include Supreme, Timberland, and Dickies did, however, confirm the type of data that couldn’t have been accessed.

VF Corp said that customers’ social security numbers (SSNs), bank account information, and payment card information remain uncompromised as these are not stored in its IT systems.

There’s also no evidence to suggest that consumer passwords were accessed, it confirmed, although it did caveat this with “the investigation remains ongoing”.

If you want to really look between the lines of the document’s wording, you’ll see that VF Corp explicitly said SSNs, financial information, and passwords – all excluded from potential compromise – were all explicitly defined as being consumer-related specifically.

The same goes for the number of individuals affected – 35.5 million “individual consumers” had their personal information stolen.

Neither its original breach disclosure filing nor this week’s update mentioned compromised data related to staff, business partners, or other stakeholders. The Register requested a statement from VF Corp but had not received a response by the time of publishing.

As for the operational disruption the attack caused, VF Corp said IT systems have been “substantially restored” and its businesses are now operating with minimal disruption.

When the attack was first disclosed, the clothes seller said its ability to fulfill orders was affected, but online and retail stores were still up and running as normal.

This week’s filing said the company’s ability to replenish retail stores’ inventory was affected and combined with the fulfillment issues. This led to customer order cancellations and reduced demand across some of its brands’ e-commerce sites.

“Since the filing of the original report, while VF is still experiencing minor residual impacts from the cyber incident, VF has resumed retail store inventory replenishment and product order fulfillment, and is caught up on fulfilling orders that were delayed as a result of the cyber incident,” the filing reads. 

“Since the filing of the original report, VF has substantially restored the IT systems and data that were impacted by the cyber incident, but continues to work through minor operational impacts.”

The attack on VF Corp is suspected to have involved ransomware. The filings mention parts of its IT systems being encrypted, and the AlphV/BlackCat gang claimed the attack days after its disclosure, but the company has not confirmed this to be the case.

That being said, it wouldn’t be the first ransomware victim to carefully massage the wording of its disclosures so as to avoid the dreaded R word.

The practice is commonplace in the industry and reached its peak last year when Minneapolis Public Schools notoriously referred to its attack, later claimed by the Medusa ransomware gang, as an “encryption event.” ®