2 min read

35.5 million customers of major apparel brands have their data breached after ransomware attack


January 19, 2024

Promo Protect all your devices, without slowing them down.
Free 30-day trial
35.5 million customers of major apparel brands have their data breached after ransomware attack

Bought some Timberland shoes? Wear a North Face jacket? You, and millions of purchasers of other popular high-street brands, could have had their data stolen by the ALPHV ransomware group.

Last month, VF Corp, the parent company of brands such including Vans sneakers and Kipling backpacks, revealed in an SEC filing that it had discovered on December 13 2023 that hackers had broken into its infrastructure and encrypted IT systems, and stolen personal data in a ransomware attack.

As a consequence, operations - including the fulfilment of customers' online orders - were disrupted in the run-up to the crucial holiday season.

The ALPHV ransomware gang (also known as BlackCat) later claimed responsibility for the breach.

This week, VF Corp has told regulators that the attackers stole the personal data of 35.5 million customers.

VF Corp's family of brands include:

  • Altra
  • Dickies
  • Eastpak
  • icebreaker
  • JanSport
  • Kipling
  • Napapijri
  • Smartwool
  • Supreme
  • The North Face
  • Timberland
  • Vans

The good news is that VF Corp does not retain consumers' payment card details, bank account information, or social security numbers - so you probably don't have to worry that that particularly sensitive information has fallen into the hands of hackers.

Frustratingly, VF Corp has not shared specific details of what data has been stolen, making it difficult to provide specific advice for consumers who may be impacted.

For instance, VF Corp says that it has not found any evidence that customer passwords were stolen. However, I think if I had entrusted my personal information to the above brands I would not hesitate to change relevant passwords just in case.

Although details of what specific data has been stolen, it would not be a surprise to me if personal contact details, addresses, and order information was included in the data exfiltrated by the attackers.

VF Corp says that its ecommerce sites and distribution centers are presently "operating with minimal issues," and that it is co-operating with law eforcement agencies and regulators in the wake of the breach.

The company says that it does not yet know how much the security breach (and its recovery) has cost, but that it believes the impact are "not material" and "not reasonably likely to be material to its financial condition."

VF Corp says it will be seeking to recoup costs of the breach through submitting claims to its cybersecurity insurers.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like