Thieves steal 35.5M customers’ data from Vans, Dickies, Timberlands parent comp’s sales systems

a vans sneaker and timberland boot with an axe through them

VF Corporation, parent company of clothes and footwear brands including Vans and North Face, says 35.5 million customers were impacted in some way when criminals broke into their systems in December.

The announcement was made in a Thursday 8-K/A filing with the Securities and Exchange Commission (SEC), and we’re only left to speculate about what kind of information the attackers may have scrambled away with.

The parent company of fashion labels, which also include Supreme, Timberland, and Dickies did, however, confirm the type of data that couldn’t have been accessed.

VF Corp said that customers’ social security numbers (SSNs), bank account information, and payment card information remain uncompromised as these are not stored in its IT systems.

There’s also no evidence to suggest that consumer passwords were accessed, it confirmed, although it did caveat this with “the investigation remains ongoing”.

If you want to really look between the lines of the document’s wording, you’ll see that VF Corp explicitly said SSNs, financial information, and passwords – all excluded from potential compromise – were all explicitly defined as being consumer-related specifically.

The same goes for the number of individuals affected – 35.5 million “individual consumers” had their personal information stolen.


When the attack was first disclosed, the clothes seller said its ability to fulfill orders was affected, but online and retail stores were still up and running as normal.

This week’s filing said the company’s ability to replenish retail stores’ inventory was affected and combined with the fulfillment issues. This led to customer order cancellations and reduced demand across some of its brands’ e-commerce sites.

“Since the filing of the original report, while VF is still experiencing minor residual impacts from the cyber incident, VF has resumed retail store inventory replenishment and product order fulfillment, and is caught up on fulfilling orders that were delayed as a result of the cyber incident,” the filing reads.

“Since the filing of the original report, VF has substantially restored the IT systems and data that were impacted by the cyber incident, but continues to work through minor operational impacts.”

The attack on VF Corp is suspected to have involved ransomware. The filings mention parts of its IT systems being encrypted, and the AlphV/BlackCat gang claimed the attack days after its disclosure, but the company has not confirmed this to be the case.


Source: Thieves steal 35.5M customers’ data from Vans sneakers maker • The Register

The real question here is why on earth these guys were holding so many customers information? And in a centralised system?

Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft