VF Corporation, owner of US-based apparel brands including Vans, Supreme and The North Face, confirmed that the cyberattack had affected the company’s ability to fulfill orders ahead of Christmas, one of the biggest retail events of the year.
Company based in Denver, Colorado he said in a filing with federal regulators The cyberattack, which the company first discovered on December 13, saw hackers disrupt the company’s operations “by encrypting some IT systems, and stealing data from the company, including personal data,” implying a ransomware attack.
As a result, the company says it continues to experience operational disruptions, including “the ability to fulfill orders.”
When TechCrunch tried to place an order on Vans’ website, a message appeared saying: “We apologize, due to logistical disruption, the estimated delivery dates shown in the checkout are incorrect. You will be notified via email when your item ships and can then track it with the shipping company.”
VF Corp said in its filing that the retail stores it operates globally are open, and consumers can purchase goods available online. It’s unclear when orders are expected to ship, and a company spokesperson did not say when.
When reached via email, VF spokesperson Colin Wheeler provided TechCrunch with a statement that echoed the company’s filing with regulators. The company did not answer TechCrunch’s questions about the incident and will not do so Say whether the company has received a ransom demand from hackers.
The company has not yet said how it was hacked, what types of data were accessed, and how many individuals — whether employees, customers, or both — were affected by the breach. It is also unknown who was behind the attack, for which no tracked ransomware group has yet to claim responsibility.
In its regulatory filing, VF Corp. warned: The cyberattack will have a “material impact” on its business until its systems are restored. “As the investigation into the incident is ongoing, the full scope, nature and impact of the incident are not yet known,” the filing said.
VF Corp. disclosed the incident on the same day that new data breach disclosure rules issued by the U.S. Securities and Exchange Commission went into effect. This regulation means that organizations must report cybersecurity incidents, including data breaches, to the federal government’s securities regulator. Within four working days.