VF Corporation, the owner of popular apparel brands such as Vans, Supreme, and The North Face, has reported a significant cyberattack that has disrupted its operations. The company has disclosed that the cyberattack, suspected to be a ransomware attack, has led to the encryption of IT systems and the theft of personal data.
Key Takeaway
VF Corporation, the parent company of popular brands like Vans and Supreme, has been hit by a cyberattack, impacting its ability to fulfill orders and resulting in the theft of personal data. The incident underscores the growing threat of ransomware attacks and the need for organizations to enhance their cybersecurity measures.
Cyberattack Impact on Operations
The cyberattack, which was first detected on December 13, has resulted in operational disruptions for VF Corp. This includes the company’s ability to fulfill orders, particularly during the crucial holiday shopping season.
Customers attempting to place orders on the Vans website have been met with logistical challenges, as indicated by a message displaying incorrect delivery dates and disruptions in the checkout process.
Company Response and Uncertainties
VF Corp. has stated that its retail stores remain open, and customers can still make purchases online for available merchandise. However, the company has not provided a clear timeline for when orders are expected to be fulfilled.
Despite the impact on its operations, the company has not disclosed whether a ransom demand was made by the hackers. Additionally, there is uncertainty surrounding the extent of the data breach, the number of individuals affected, and the identity of the attackers.
Regulatory Disclosure and Ongoing Investigation
The company has warned that the cyberattack will have a “material impact” on its business until its systems are fully recovered. As the investigation is ongoing, VF Corp. has emphasized that the full scope and nature of the incident are not yet known.
Furthermore, the disclosure of the cyberattack aligns with the new data breach disclosure rules set forth by the U.S. Securities and Exchange Commission. This regulation mandates organizations to report cybersecurity incidents, including data breaches, to the federal government’s securities regulator within four business days.
