VF Corp. has begun an investigation with leading external cybersecurity experts to contain, assess and remediate a cybersecurity breach at the company that occurred Dec. 13.
In an 8-K filed with the Securities and Exchange Commission on Friday, VF said the company detected unauthorized occurrences on a portion of its information technology systems. At that point, VF immediately began taking several steps, including beginning an investigation with leading external cybersecurity experts, activating its incident response plan and shutting down some systems, the company said.
“The threat actors disrupted the company’s business operations by encrypting some IT systems, and stole data from the company, including personal data,” the company said in the filing. “The company is working to bring the impacted portions of its IT systems back online and implement workarounds for certain offline operations with the aim of reducing disruption to its ability to serve its retail and brand e-commerce consumers and wholesale customers.”
According to the filing, VF-operated retail stores globally are open, and consumers can purchase available merchandise, but VF is experiencing certain operational disruptions.
The company said consumers are able to place orders on most of the brand e-commerce sites globally, however, the company’s ability to fulfill orders is currently impacted.
VF, along with its cybersecurity experts, continues to work to respond to and mitigate the impact from the incident, and has notified and is cooperating with federal law enforcement.
“As the investigation of the incident is ongoing, the full scope, nature and impact of the incident are not yet known. As of the date of this filing, the incident has had and is reasonably likely to continue to have a material impact on the company’s business operation until recovery efforts are completed,” according to the filing. The company hasn’t yet determined if the breach will impact financial results, it said in the filing.
“The company will continue to review its security measures to look for opportunities to strengthen resiliency in an ever-evolving threat landscape,” a VF spokesperson said.
In July, 2022, The NorthFace suffered a credential-stuffing attack on its website. Vans was also impacted. VF immediately began sending notification letters to anyone affected. The hack was discovered on Aug. 11, 2022, and stopped on Aug. 19, 2022.
VF. Corp., under new chief executive officer Bracken Darrell, has been doing some belt tightening at the company. Last month, it was reported that the firm eliminated about 500 salaried positions across the company globally. The company saw revenues decline 4 percent to $5.1 billion in the first half.
The North Face has been strong, but Vans is still in turnaround mode, and activists have been pushing the company to take a hard look at the rest of the portfolio. VF is in the process of selling its Kipling, Eastpak and JanSport backpack businesses.