VF Corporation, an apparel and footwear supplier for brands
like Vans, North Face, Timberland, Dickies and more, has announced that the personal data of about 35.5 million of its consumers was stolen by a hacker in a December cyberattack.
On December 18,
in a Securities and Exchange Commission (SEC) filing, the company originally reported that it had been hit by a cyberattack after noticing unauthorized occurrences on its IT systems the previous
week.
VF later learned that the attackers stole personal data from customers, which interrupted order fulfillment during holiday shopping.
Despite how widespread the attack ended up
being, the SEC reported that VF doesn't collect or retain in its IT systems any consumer social security numbers, bank account information or payment card information as part of its direct-to-consumer
practices.
“While the investigation remains ongoing, VF has not detected any evidence to date that any consumer passwords were acquired by the threat actor,” the SEC adds in its
most recent filing surrounding the incident.
In addition, the company said that the unauthorized users were “ejected” from its IT systems two days after the attack.
“Since the filing of the Original Report, VF has substantially restored the IT systems and data that were impacted by the cyber incident, but continues to work through minor operational
impacts,” the latest filing states.
Information regarding who carried out the attack has yet to be announced by VF.