• by Colin Kirkland , January 22, 2024

VF Corporation, an apparel and footwear supplier for brands like Vans, North Face, Timberland, Dickies and more, has announced that the personal data of about 35.5 million of its consumers was stolen by a hacker in a December cyberattack.

On December 18, in a Securities and Exchange Commission (SEC) filing, the company originally reported that it had been hit by a cyberattack after noticing unauthorized occurrences on its IT systems the previous week.

VF later learned that the attackers stole personal data from customers, which interrupted order fulfillment during holiday shopping.

Despite how widespread the attack ended up being, the SEC reported that VF doesn't collect or retain in its IT systems any consumer social security numbers, bank account information or payment card information as part of its direct-to-consumer practices.

“While the investigation remains ongoing, VF has not detected any evidence to date that any consumer passwords were acquired by the threat actor,” the SEC adds in its most recent filing surrounding the incident.

In addition, the company said that the unauthorized users were “ejected” from its IT systems two days after the attack.

“Since the filing of the Original Report, VF has substantially restored the IT systems and data that were impacted by the cyber incident, but continues to work through minor operational impacts,” the latest filing states.

Information regarding who carried out the attack has yet to be announced by VF.