Millions of Vans, Supreme, and The North Face customers have had their data stolen following a cyberattack against parent company VF Corp, the company has confirmed.
Late last year, VF Corp. filed a report with the SEC, claiming it spotted an attack on December 13 which encrypted “some IT systems”.
While VF did initially say hackers managed to steal personal data from the company, it did not say what data specifically, whose data it was, or how many people were impacted.
Payment data is secure
VF has now filed a new report with regulators, further detailing the breach, TechCrunch reports, revealing that the hackers stole personal data of 35.5 million customers.
Other details about the data are still missing, but some things can be eliminated, as VF said it doesn’t keep Social Security Numbers, bank account information, or payment card information.
That leaves things like names, birth dates, email addresses, postal addresses, as well as passwords, and purchase history. VF said there is no evidence passwords were tampered with.
The attackers deployed ransomware on VF’s infrastructure, forcing the company to disconnect some endpoints and shut parts of its network down. As a result, the shipping calculator broke, leaving customers in the dark on when their purchases might arrive. The companies were still capable of taking orders, though.
The aftermath of the ransomware attack is yet to be seen. VF says it expects a “material impact”, but did not elaborate further.
Usually, ransomware groups steal valuable data that they can exchange for cryptocurrencies, either with the victims, or on the black market. If it’s not proprietary data that could be useful to the competitors, then it’s customer data such as names, email addresses, and more.