Security

Cyber-crime

Thieves steal 35.5M customers’ data from Vans sneakers maker

But what kind of info was actually compromised? None of your business


VF Corporation, parent company of clothes and footwear brands including Vans and North Face, says 35.5 million customers were impacted in some way when criminals broke into their systems in December.

The announcement was made in a Thursday 8-K/A filing with the Securities and Exchange Commission (SEC), and we're only left to speculate about what kind of information the attackers may have scrambled away with.

The parent company of fashion labels, which also include Supreme, Timberland, and Dickies did, however, confirm the type of data that couldn't have been accessed.

VF Corp said that customers' social security numbers (SSNs), bank account information, and payment card information remain uncompromised as these are not stored in its IT systems.

There's also no evidence to suggest that consumer passwords were accessed, it confirmed, although it did caveat this with "the investigation remains ongoing".

If you want to really look between the lines of the document's wording, you'll see that VF Corp explicitly said SSNs, financial information, and passwords – all excluded from potential compromise – were all explicitly defined as being consumer-related specifically.

The same goes for the number of individuals affected – 35.5 million "individual consumers" had their personal information stolen.

Neither its original breach disclosure filing nor this week's update mentioned compromised data related to staff, business partners, or other stakeholders. The Register requested a statement from VF Corp but had not received a response by the time of publishing.

As for the operational disruption the attack caused, VF Corp said IT systems have been "substantially restored" and its businesses are now operating with minimal disruption.

When the attack was first disclosed, the clothes seller said its ability to fulfill orders was affected, but online and retail stores were still up and running as normal.

This week's filing said the company's ability to replenish retail stores' inventory was affected and combined with the fulfillment issues. This led to customer order cancellations and reduced demand across some of its brands' e-commerce sites.

"Since the filing of the original report, while VF is still experiencing minor residual impacts from the cyber incident, VF has resumed retail store inventory replenishment and product order fulfillment, and is caught up on fulfilling orders that were delayed as a result of the cyber incident," the filing reads. 

"Since the filing of the original report, VF has substantially restored the IT systems and data that were impacted by the cyber incident, but continues to work through minor operational impacts."

The attack on VF Corp is suspected to have involved ransomware. The filings mention parts of its IT systems being encrypted, and the AlphV/BlackCat gang claimed the attack days after its disclosure, but the company has not confirmed this to be the case.

That being said, it wouldn't be the first ransomware victim to carefully massage the wording of its disclosures so as to avoid the dreaded R word.

The practice is commonplace in the industry and reached its peak last year when Minneapolis Public Schools notoriously referred to its attack, later claimed by the Medusa ransomware gang, as an "encryption event." ®

Send us news
8 Comments

With ransomware whales becoming so dominant, would-be challengers ask 'what's the point?'

Fewer rivals on the scene as big-gang success soars

Aussie cops probe MediSecure's 'large-scale ransomware data breach'

Throw another healthcare biz on the barby, mate

Cybersec chiefs team up with insurers to say 'no' to ransomware bullies

Guidebook aims to undermine the criminal business model

LockBit dethroned as leading ransomware gang for first time post-takedown

Rivals ready to swoop in but drop in overall attacks illustrates LockBit’s influence

Uncle Sam urges action after Black Basta ransomware infects Ascension

Emergency ambulances diverted while techies restore systems

British Library's candid ransomware comms driven by 'emotional intelligence'

It quickly realized ‘dry’ progress updates weren’t cutting it

Cybercriminals hit jackpot as 500k+ Ohio Lottery lovers lose out on their personal data

Not a lotto luck for these powerball hunters

Ransomware negotiator weighs in on the extortion payment debate with El Reg

As gang tactics get nastier while attacks hit all-time highs

Encrypted mail service Proton hands suspect's personal info to local cops

Plus: Google patches another Chrome security hole, and more

Bayer and 12 other major drug companies caught up in Cencora data loss

Plus: US water systems fail at cyber security

Europol confirms incident following alleged auction of staff data

Intelligence-sharing platform remains down for maintenance

Canada's London Drugs confirms ransomware attack after LockBit demands $25M

Pharmacy says it's 'unwilling and unable to pay ransom'