VF Corp, the parent entity of renowned apparel brands such as Vans, Supreme, and The North Face, has reported a significant cyberattack leading to the theft of personal data of 35.5 million customers. The Denver, Colorado-based company disclosed the breach in a regulatory filing on Thursday, although the specifics of the stolen personal data remain unclear.
VF Corp. has not yet identified the exact nature of the data compromised in the December cyberattack.
In a reassuring note, VF Corp stated that it does not store sensitive customer information such as Social Security numbers, bank account details, or payment card information for its consumer businesses. Additionally, there is no evidence to suggest that customer passwords were among the stolen data.
The attack, which VF Corp had previously acknowledged, involved the encryption of some of its IT systems, hinting at a ransomware attack. The notorious ransomware and extortion group ALPHV, also known as BlackCat, later took responsibility for this breach.
This cyber incident had initially caused significant operational disruptions for VF Corp, impacting their ability to fulfill orders. However, in their recent filing, the company indicated that while there are minor residual impacts from the incident, they have managed to catch up on the order fulfillment that was delayed due to the attack.
VF Corp. has made significant progress in restoring the IT systems and data affected by the cyber incident. Despite this recovery, the company continues to navigate through minor operational challenges.
This cyberattack on VF Corp highlights the growing concern of cybersecurity threats faced by large corporations, impacting millions of consumers and emphasizing the need for robust digital security measures in today's interconnected world. Experts at Horizon3.ai weighed in on the incident and what other organizations can learn from it.
Al Martinek, Customer Threat Analyst, Horizon3.ai:
“Threat actors steal data, exploit weak credentials, and ultimately find any way possible to disrupt company operations during times of amplified cyber traffic. Adopting a proactive, autonomous approach that involves identifying, addressing, and validating exploitable vulnerabilities serves as the primary defense against cyber threats for any organization. Solutions such as continuous penetration testing not only deliver prompt results for addressing crucial issues but also save valuable time and stress for security teams. This approach allows for timely mitigations and verifications, providing organizations with the necessary peace of mind in keeping sensitive information out of enemy hands and networks hardened against attacks.”
Stephen Gates, Principal Security SME, Horizon3.ai:
“These oversights and error conditions are one of the biggest reasons why the SEC new rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats.
If you are not continuously assessing your internal, external, and cloud infrastructures, you likely will not be able to identify and manage material risks from cybersecurity threats. The real key is to continuously assess yourself before attackers do it for you.”