35.5 Million Customers Affected by Apparel Maker VF’s Breach

Skateboarding shoe and outdoor apparel maker VF Corp. said data pertaining to 35.5 million customers appears to have been stolen in a recent data breach.

See Also: OnDemand | Integrating Splunk and Panther for Real-Time Alerting and Custom Dashboarding

The Colorado maker of apparel and footwear brands including Vans, Supreme, The North Face and Timberland, told investors Thursday that its data breach estimate is based on a “preliminary analysis.”

VF said its “investigation and remediation efforts remain ongoing” following unauthorized access to its systems the company first detected on Dec. 13.

The company said it believes it ejected the hacker from its systems on Dec. 15. Before then, the hacker stole data and successfully encrypted some IT systems, the company said. VF didn’t detail what data was stolen, but did say it doesn’t collect or retain any customers’ Social Security numbers, bank account details or payment card information.

As a result of the attack, VF said it shut down some systems, disrupting some operations. Impacts it cited included “interrupted replenishment of retail store inventory and delayed order fulfillment which had impacts such as the cancellation by customers and consumers of some product orders, reduced demand on certain of its brands’ e-commerce sites, and delay of some wholesale shipments.”

The Denver company earned $11.6 billion in revenue last year and owns 12 brands, including JanSport backpacks and Dickies rugged wear.

The company said all retail stores remained open following the attack. The company also warned online customers of delivery delays.

Timberland’s website read after the breach: “Apologies, logistical disruptions are impacting delivery dates.” A similar message appeared on the checkout page of the Vans website: “Apologies, due to a logistical disruption, the estimated delivery dates shown in the checkout process are incorrect. You will be notified by email when your item ships and can then track it with the shipper.”

VF on Thursday reported that although it’s “still experiencing minor residual impacts” from the attack and has yet to fully restore all systems, it “has resumed retail store inventory replenishment and product order fulfillment, and is caught up on fulfilling orders that were delayed as a result of the cyber incident.”

VF first announced the cybersecurity breach on Dec. 18, the same day the U.S. Securities and Exchange Commission’s new mandate for large and medium-sized publicly traded companies took effect, requiring that they disclose “material cybersecurity incidents” within four business days of determining materiality. Small businesses have until mid-June before they must comply with the rule (see: SEC Votes to Require Material Incident Disclosure in 4 Days).

While VF initially reported that the breach was having a material impact on its business, but said that has ended. In its Thursday report to investors, the company said that since it mostly remediated the attack, “the impacts of the cyber incident are not material and are not reasonably likely to be material to its financial condition and results of operations.”

The company said at least some incident response and remediation costs should be recouped via its cyber insurance coverage. “The timing and amount of any such reimbursements is not known at this time.”

On Friday, VF’s share price was down about 20% compared to 32 days prior, when it first announced the data breach.

With reporting from Information Security Media Group’s Mihir Bagwe in Mumbai.