The personal information of 35.5 million customers was stolen in a ransomware attack in December 2023, apparel and footwear brands owner and operator VF Corporation revealed on Thursday.
In mid-December, the Denver, Colorado-based company, which owns brands such as Dickies, The North Face, Smartwool, Timberland, and Vans, announced that it took certain systems offline in response to a ransomware attack that impacted its operations.
Right from the start, VF Corp said that the attackers were able to access certain corporate and personal information, and that a material impact from the incident was expected.
In a January 18 Form 8-K filing with the Securities and Exchange Commission (SEC), the company revealed that the hackers stole the personal information of approximately 35.5 million individual consumers.
While it did not specify what type of information was compromised in the data breach, VF Corp pointed out that it does not store Social Security numbers, bank account information, and payment card details, and that it has found no evidence that customer passwords were stolen.
The company also said that “the threat actor was ejected from VF’s IT systems on December 15, 2023,” and that it has since restored all impacted systems, albeit it continues to experience some minor operational impact.
Following the shut down of systems to contain the attack, the company was unable to replenish retail store inventory and order fulfillment was delayed, which resulted in order cancellations, reduced demand on certain web stores, and the delay of some wholesale shipments.
VF Corp retail stores, brand e-commerce websites, and distribution centers are currently operating with minimal issues, the company said.
“While VF is still experiencing minor residual impacts from the cyber incident, VF has resumed retail store inventory replenishment and product order fulfillment, and is caught up on fulfilling orders that were delayed as a result of the cyber incident,” the company also noted.
VF also said that it expects the attack to have no other material impact than “the material impacts on VF’s business operations” disclosed in December and the incident might not influence its financial condition and results of operations.