Parent company of North Face and Vans reported holiday hack

A cyber attack on one of the world’s most popular retailers landed right in the middle of the holiday shopping season, disrupting order fulfillment at the worst possible time.

VF Corp., the parent company of Vans, North Face, Timberland, and others, reported the breach in an SEC filing on December 15. Shares in the company dropped on Dec. 18 in response to the news.

According to the company’s report, it first noticed the breach on December 13.

Sounds familiar. Attackers encrypted internal systems and stole company and personal data, though the nature of the attack—whether it was ransomware or something else—had still not been determined.

“As the investigation of the incident is ongoing, the full scope, nature, and impact of the incident are not yet known,” VF Corp. said in its filing.

The company said it was cooperating with federal law enforcement to manage the fallout and deal with any ongoing threats.

Impacts varied depending on where consumers were buying the company’s products. VF Corp. said its stores around the world remained open. Customers could order online but fulfillment was affected.

Zooming out. In response to the uptick in supply chain attacks, some vendors are rethinking their cybersecurity posture. They're increasingly incorporating security practices at the software development stage, to avoid embedding malware and to adhere to recent federal software supply chain guidance."

In practice, that’s increasingly meant involvement at the developer level to ensure the security posture matches what’s needed from the company, often by demanding certain security frameworks be used by software suppliers.

“By doing that, organizations can make better basically risk management decisions about the code that they’re using in the environment,” Dale Gardner, senior director at market-intelligence firm Gartner, told IT Brew this summer.

The timing of the VF Corp. breach during the holiday shopping season makes the hack unusual, but it follows a 2023 trend of cyberattacks having real world effects on distribution systems. An attack on The Clorox Company in August meant fewer orders processed at the end of the summer, as IT Brew reported.