VF Corporation, the parent company of Vans, Supreme, and The North Face, has stated that a cyberattack has hampered the business’s ability to fulfill orders ahead of Christmas, one of the year’s busiest retail events.
In a filing with federal regulators, the Denver, Colorado-based corporation stated that hackers disrupted the company’s operations “by encrypting some IT systems and stealing data from the company, including personal data,” implying a ransomware attack.
As a consequence, the firm claims it is still experiencing operational difficulties, including its “ability to fulfill orders.”
When Eltrys went to make a purchase on the Vans website, she received the following message: “Apologies, the estimated delivery dates shown in the checkout process are incorrect due to logistical disruption.” When your item ships, you will be alerted via email and will be able to track it with the shipper.”
In its filing, VF Corp. said that the retail locations it runs around the world remain open and that customers may buy available products online. It’s unclear when purchases will be sent, and a business spokeswoman declined to comment.
When contacted via email, VF Corp. spokesman Colin Wheeler responded with a statement that reflected the company’s regulatory filing. The corporation did not respond to Eltry’s queries regarding the event, nor did it clarify whether the hackers had demanded a ransom.
The firm has not yet said how it was hacked, what kind of data was obtained, or how many people were impacted by the incident—whether workers, consumers, or both. Additionally, no well-known ransomware gang has yet to claim responsibility for the assault.
VF Corp. warned in a regulatory statement that the intrusion would have a “material impact” on its company unless its systems were restored. “As the investigation of the incident is ongoing, the full scope, nature, and impact of the incident are not yet known,” the statement reads.
On the same day that the Securities and Exchange Commission’s new data breach notification regulations went into effect, VF Corp. announced the incident. Organizations must disclose cybersecurity events, including data breaches, to the federal government’s securities regulator within four working days under this legislation.