Massive Data Breach at VF Hits 35M Vans, Retail Customers

A month on from a retail conglomerate's data breach, it's still not clear exactly what the hackers stole, but impacted brands include Dickies, Northface, Timberland, Vans, and more.

2 Min Read
Rows of Vans shoes at a retail outlet
Source: Medicimage Education via Alamy Stock Photo

Personal data belonging to 35.5 million customers of popular apparel brands was exposed in a December data breach, though the exact nature of the stolen data remains unclear.

The befelled company, VF Corporation, is a 125-year-old, $6 billion dollar clothing conglomerate based out of Denver. Popular brands under its umbrella include Dickies, JanSport, North Face, Supreme, Timberland, Vans, and more.

Per annual cybercrime tradition, VF discovered it had been breached during the leadup to the holiday shopping season, on Dec. 13. Aside from disruptions to its business operations, personal data belonging to more than 35 million of its customers was siphoned off, according to an 8-K/A filing with the US Securities and Exchange Commission (SEC), updated yesterday.

VF Data Breach: What We Know

After first discovering the incident, VF reported having to shut down some of its IT systems. Doing so caused disruptions to certain operations, including delays to inventory replenishment, shipments, and order fulfillment. As a result, demand for certain affected brands' websites slowed, and some customers canceled orders.

The company kicked the cyberattackers out of its systems on Dec. 15. The 8-K/A does not specify the nature of the attack nor the perpetrators but, in its Dark Web blog last month, AlphV/BlackCat claimed responsibility, which may mean ransomware and extortion were involved.

Even now, more than a month on, the company "is still experiencing minor residual impacts from the cyber incident," according to the 8-K/A, though it has "substantially restored the IT systems and data that were impacted," and resumed as normal with inventory and orders.

What VF Retail Customer Data Was Stolen?

VF did not disclose on Thursday what customer information was stolen from its IT systems and noted that its investigation is ongoing.

It did, however, highlight certain data that wasn't stolen. There's no evidence yet to suggest that customers' account passwords were taken, and the company does not store Social Security numbers, bank account details, or credit card numbers in its IT systems.

"By disclosing what wasn't taken, VF is providing a certain level of assurance to the SEC and their investors that several types of highly sensitive [personally identifiable information] PII were not among the 35 million records," says Padraic O'Reilly, co-founder and chief innovation officer for CyberSaint.

However, he adds, "based on this, we can assume that customer names, addresses, demographic and purchase information might be in play. 8-Ks are usually staged as investigations progress, so this is a stay-tuned situation."

About the Author

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights