Skip to main content
close search
site logo
Dive Brief

Cyberattack on VF Corp. disrupts order fulfillment

The attack on the company last week, which owns Vans and The North Face, also resulted in data theft.

Published Dec. 18, 2023
Laurel Deppen's headshot
Reporter
People walk past the exterior of a Timberland storefront.
A Timberland storefront. Timberland's holding company, VF Corporation, experienced a cybersecurity attack. Matthew Eisman/Getty Images for Pandora Media via Getty Images

First published on

Fashion Dive

Dive Brief:

  • VF Corp. was hit by a cyberattack last week that resulted in the theft of data, including personal information, according to an 8-K filing with the U.S. Securities and Exchange Commission Monday.
  • Customers can place orders on most of its brands’ e-commerce sites globally, which include Vans and The North Face, but VF’s ability to fulfill orders is impacted by the incident, the company said.
  • While the investigation of the attack is ongoing, VF said in the filing the incident “has had and is reasonably likely to continue to have a material impact on the company’s business operations until recovery efforts are completed.”

Dive Insight:

VF Corp. has not determined if the cyberattack will take a material hit on its finances or “results of operations,” the company said in the filing. 

“VF, along with its external cybersecurity experts, continues to work diligently to respond to and mitigate the impact from this incident and has notified, and is cooperating with, federal law enforcement,” a company spokesperson said in an email to Fashion Dive. “The company will continue to review its security measures to look for opportunities to strengthen resiliency in an ever-evolving threat landscape.”

VF detected “unauthorized occurrences” in its IT systems on Dec. 13, per the filing, and began an investigation into the incident which included shutting down some systems. The threat actor encrypted some IT systems.

Neither the filing nor the VF spokesperson provided more detailed information on the stolen data.

VF is working to bring the impacted portions of its IT system online and create workarounds for certain offline operations “with the aim of reducing disruption to its ability to serve its retail and brand e-commerce consumers and wholesale customers,” the company said.

VF’s operated stores are open globally, and customers can still purchase merchandise, but the filing noted that it is experiencing “certain operational disruptions.” 

It’s hard to know how damaging the incident will be to VF due to the information in the filing, but it could be significant, according to David Swartz, senior equity analyst for Morningstar Research Services.

“The timing is obviously terrible, coming a week before Christmas,” Swartz said in an email to Fashion Dive. “Companies have mitigation plans in place to try to limit the damage in case of an attack, but they can’t plan for everything.”

Last year, HanesBrands experienced a ransomware attack that reportedly cost about $100 million in global sales. However, it recovered some of that loss from a $20.5 million insurance payment.

Swartz noted that the SEC’s cybersecurity disclosure rules, which went into effect in September, may have prompted VF to file the 8-K more quickly than it may have in the past.

“Historically, companies have been very inconsistent on disclosing cyberattacks, and sometimes they would not disclose them at all,” Swartz said.

The news comes as VF, which owns brands Timberland and Dickies is undergoing a transformation program. The plan is meant to bolster its brand building, execution and sales in North America, as well as turnaround the Vans brand, which has been a pain point for the apparel conglomerate.

It reported $3 billion in revenue in its most recent quarterly earnings in October, a 2% decrease from the same period the previous year.

Filed Under: Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Cyberattacks
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell