Apparel giant VF sends out breach letters to millions following 2023 cyberattack

One of the largest apparel companies in the world began sending out breach notification letters on Wednesday to inform millions of customers that hackers stole personal information during an attack last year.

The VF Corporation — owner of brands like Vans, North Face, Timberland, Dickies, Jansport and more — warned customers that a December 13 hack leaked troves of information about customers.

“Our investigation revealed that the incident has affected some personal information of our customers that we normally store and process in order to manage online purchases, such as email address, full name, phone number, billing address, shipping address,” the letter said. “In certain cases, the affected data may also include order history, total order value, information about what payment method was used for the purchases.”

The attack was later claimed by the now-defunct AlphV ransomware gang, and in SEC filings the company said an investigation revealed that the personal data of about 35.5 million individual consumers was taken. 

The company did not respond to requests for comment about whether the breach notification letters were sent to all 35 million people. No financial information or Social Security numbers were in the breached information. 

The hackers were removed from company systems two days after the incident was discovered and law enforcement agencies were involved in the response. 

The company said in January that the attack forced its IT team to shut down some systems, causing a variety of disruptions that included interrupting “the replenishment of retail store inventory and delayed order fulfillment which had impacts such as the cancellation by customers and consumers of some product orders, reduced demand on certain of its brands’ e-commerce sites, and delay of some wholesale shipments.”

The initial filing by VF was one of the first to come under new SEC rules mandating that companies report any cyberattack that may have a “material” effect on business operations. 

VF previously reported another security incident to regulators in Maine in 2022, when nearly 200,000 customers had their information leaked during a credential stuffing attack.