Apparel brands Timberland, Dickies, Smartwool, Vans, and The North Face owner, VF Corp., disclosed that the December ransomware attack leaked data, including personally identifiable information of over 35 million customers.
In the December 18, 2023, regulatory filing with the US Securities and Exchange Commission (SEC), VF Corporation said it “detected unauthorized occurrences on a portion of its information technology (IT) systems” on Dec 13, 2023.
The Denver, Colorado-based company responded by launching an investigation with leading external cybersecurity experts, activating its incident response plan, and shutting down some systems, causing widespread operational disruptions, including restocking and fulfilling orders.
Customers could still place orders during the attack, and the company was looking for “workarounds for certain offline operations” to limit disruptions.
On December 15, 2023, the struggling apparel giant successfully ejected the threat actor from its systems but continued to experience “minor residual impacts.”
By January 18, 2024, VF Corporation had “substantially restored” its IT systems and data but continued to experience “minor operational impacts” from the cybersecurity incident.
VF Corporation ransomware attack exposed impacted 35 million customers
The December 18 SEC filing disclosed that the attackers accessed company information, including personal data of 35.5 million customers.
However, VF Corp did not disclose the nature of the data stolen, and the apparent ransomware attack did not leak social security numbers and bank account or credit card information. Similarly, no evidence suggests that hackers stole customers’ account passwords.
It remains unclear whether the data of other entities, such as employees and business partners, was compromised. The attack vector exploited also remained unknown or undisclosed.
“Threat actors steal data, exploit weak credentials, and ultimately find any way possible to disrupt company operations during times of amplified cyber traffic,” said Al Martinek, Customer Threat Analyst, Horizon3.ai. “Adopting a proactive, autonomous approach that involves identifying, addressing, and validating exploitable vulnerabilities serves as the primary defense against cyber threats for any organization.”
VF Corp did not describe the ransomware attack as such but indicated that the hackers disrupted operations after “encrypting some IT systems.” The attacker’s identity remained undisclosed, although the ALPHV/BlackCat ransomware group had claimed responsibility.
Meanwhile, VF Corp said it had restored its ability to fulfill orders and replenish stocks but still grappled with “minor residual impacts from the cyber incident.”
“The attack on VF Corp shows the kind of impact a cyber incident can have on business operations,” said Darren Williams, CEO and Founder of BlackFog. “Business downtime is a primary consequence of cyberattacks and often leads to customer frustration and financial loss.”
The apparel giant is cooperating with law enforcement and regulatory authorities to investigate the ransomware attack and determine its scope.
“Ransomware tactics are constantly evolving,” said Sally Vincent, Senior Threat Research Engineer at LogRhythm. “As the retail sector continues to see these threats, security strategies must be a priority. To safeguard customer data, retail organizations must adopt an approach that prioritizes user training and threat detection, investigation, and response.”
VF Corporation’s ransomware attack had limited material impact
The apparel designer had anticipated that the ransomware attack would “reasonably likely” have a “material impact on the Company’s business operations until recovery efforts are completed.”
The new regulatory filing confirmed that the cyber incident would have no additional material impact except previously disclosed impacts on business operations, which were no longer ongoing.
Thus, it would unlikely be “reasonably material to its financial condition and results of operations.” VF Corp would also seek reimbursement of costs, expenses, and losses by lodging claims with cyber insurers.
An accurate assessment of the material impacts of a cybersecurity incident is critical in the early days to comply with the new SEC data breach disclosure rules.
Approved in July 2023 and effective from December 18, the SEC regulation demands that publicly traded businesses report material data breaches and cybersecurity incidents within 96 hours or four days.
“This is one of the first companies to meet and report the attack on their 8-K report as required by the SEC,” said Roger Grimes, Data-Driven Defense Evangelist at KnowBe4. “The one thing I would want to know as a customer, beyond what was stolen, is how it was stolen.”
With an annual revenue of $11.6 billion, VF Corporation owns 1,265 stores and employs over 35,000 people globally.
