Nearly 3,000 North Face website customer accounts breached as retail incidents continue

The parent company of outdoor clothing brand The North Face said almost 3,000 customers were affected by a data breach on its retail website in April. 

VF Outdoor, which owns the JanSport and Timberland brands in addition to North Face, said in breach notification letters that it initially discovered unusual activity on April 23. VF Outdoor filed notifications in Vermont and Maine, telling the state that 2,861 people had their accounts accessed.

An investigation revealed that an attacker launched a credential stuffing attack on the North Face website, using login information stolen from other breaches to gain access to user accounts. 

“Based on our investigation, we believe that the attacker previously gained access to your email address and password from another source (not from us) and then used those same credentials to access your account on our Website,” VF Outdoor explained. 

The company claimed it does not believe the incident involved information requiring them to notify victims of a data breach but is informing customers “out of an abundance of caution.”

The hacker accessed North Face account information ranging from products a person has purchased on the website to someone’s address, name, date of birth and telephone number. 

Payment cards were not compromised because they are held on a third-party payment card processor platform, the company said. The only payment-card information retained by the North Face site is a token that  “cannot be used to initiate a purchase anywhere other than on our website.”

The company has disabled all passwords for accounts on its site and has forced customers to create new ones. The letter notes that if a customer used the same password on multiple sites, they should change it because it has been compromised. 

Identity protection services will not be offered to victims. VF Outdoor reported a similar security incident to regulators in Maine in 2022, when nearly 200,000 customers had their information leaked during another credential stuffing attack.

VF Outdoor was also one of the first companies to report a “material” ransomware attack to the U.S. Securities and Exchange Commission (SEC) on the first day that a new cyber incident reporting rule went into effect. The attack in December 2023 caused operational disruptions that impacted the company’s ability to fulfill orders. 

The attack on North Face comes as several high-profile retailers in the U.K. and U.S. report cyberattacks in a months-long campaign attributed to cybercriminal operation Scattered Spider. 

Last week, women’s fashion brand Victoria’s Secret said it was working to restore operations after experiencing a security incident. On Tuesday, the company said the cyberattack “has prevented employees from accessing certain systems and information needed to support the Company’s release of its financial results for the first quarter” and would need to postpone its earnings call. 

Fashion brand Cartier sent a notice out to customers on Tuesday warning of a cyber incident where hackers accessed the company’s systems and customer information. Adidas, Dior, and Tiffany all announced data breaches or security incidents that exposed customer and employee data over the last two weeks. 

The incidents prompted the FBI to deliver cyber-intelligence briefings to major retailers over the last month after reports that Scattered Spider had shifted their focus from attacks on outlets in the U.K. to U.S.-based companies. The notices came after multiple attacks on U.K. retailers Marks & Spencer, the Co-op, and luxury retailer Harrods.