Lifestyle apparel brand VF Corp filed an amended breach disclosure with the US Securities and Exchange Commission (SEC), revealing that the personal information of over 35 million individuals was stolen during a December ransomware attack.
The December 13th ransomware attack, since claimed by the notorious ALPHV/BlackCat ransom gang, forced VF Corp to shut down parts of its IT infrastructure, creating holiday season havoc for the global manufacturer of The North Face, Vans, Timberland, and more.
“Based on VF’s preliminary analysis from its ongoing investigation, VF currently estimates that the threat actor stole personal data of approximately 35.5 million individual consumers," the company stated in the January 18th amended 8K/A filing.
The original breach disclosure was filed with the SEC on December 18th, as required according to the agency’s recently updated four-day disclosure rule.
That same day, a VF Corp spokesperson had confirmed to Cybernews that some of its systems had been encrypted and personal data had been stolen, but was unable to provide further details at the time.
When asked about the recent developments on Friday, the same spokesperson reiterated what was already noted in the amended filing.
“VF does not collect or retain in its IT systems any consumer social security numbers, bank account information or payment card information as part of its direct-to-consumer practices,” the one-page document states.
The form also states the company has “not detected any evidence to date that any consumer passwords were acquired by the threat actor.”
“VF Corporation shut down the affected systems to contain the breach,” yet the company is still determining “the extent of the attack with help from federal law enforcement,” said Andrew Costis, Chapter Lead of the Adversary Research Team at Attack IQ.
Costis pointed out that ransomware attacks are "growing in sophistication and volume across industries" and that “preparation is the best form of defense.”
“While no cyber threat is the same, by simulating attacks using specific tactics, techniques, and procedures (TTPs) used by threat actors, organizations can test their security controls to optimize responses and pinpoint gaps,“ he said.
VF Corp said systems and impacted data have been mostly fully restored, and the company plans on filing a claim with its cyber insurance carrier to make up for any financial losses.
Considered one of the world’s most prominent apparel, footwear, and accessories companies, VF Corp said its “retail stores, brand e-commerce sites, and distribution centers are now operating with minimal issues.”
The publicly traded company has more than 1265 retail stores, and a revenue of $11 billion, according to its website.
Brand operations that were interrupted during the busy holiday shopping season included the replenishment of retail store inventory, delayed order fulfillment, as well as the delay of some wholesale shipments, the company said.
The delays led to some customer order cancellations and reduced traffic on its e-commerce sites, but the Denver-headquartered company said the material impact has been limited, and it has "caught up" on any backlog of holiday orders.
Nick Tausek, Lead Security Automation Architect at Swimlane, noted that the ransomware attack took place during the height of the holiday shopping season, highlighting the "critical need for proactive cybersecurity measures in an industry increasingly vulnerable to such threats.”
"With a vast customer base across multiple brands, VF serves as a cautionary tale for all retailers: robust preventative measures are no longer optional, they're essential," Tausek said.
Besides The North Face outerwear and Vans sneakers, VF Corp is the parent company of roughly a dozen brands, including Timberland, Dickies, Smartwool, Kipling, Jansport, and Eastpak.
“By automating the security process using a low-code automation platform, security teams are able to detect and respond to threats with increased efficiency and insight. This approach reduces vulnerability to the increased sophistication of ransomware attacks,” Tausek said.
Soon after the attack on VF Corp, the Russian-linked ALPHV/BlackCat group had its own operational problems after the FBI seized one of its domain controllers, shutting down its dark leak blog (which VF Corp had been listed by the end of December)
The gang managed to reclaim its site briefly from the FBI, before eventually moving its official brand to a new dark web address.
Although the FBI hack of several of the gang’s website domains resulted in zero arrests, the agency was able to get its hands on one of ALPHV’s decrypter tools, which is said to have helped at least 300 companies regain their data.
Its not clear if VF Corp is one of the companies who were able to benefit from the decrypter, or is still part of the other one thousand companies whose files remain encrypted by ALPHV.
The ransomware cartel was tracked by security firm ReliaQuest as the third most active ransomware cartel operating in Q3 2023, carrying out hundreds of attacks and causing an estimated loss of over $1 billion alone in 2023.
Known for its triple-extortion tactics, ALPHV/BlackCat joined forces with Scattered Spider to carry out the September 2023 attacks on two Las Vegas casino giants, MGM Resorts and Caesars International.
More from Cybernews:
Subscribe to our newsletter