4 minutes

Although consumers can purchase available merchandise, VF Corp. is experiencing operational disruptions as a result of the cyberattack.

The owner of shoe brand Vans reported this week that it “detected unauthorized occurrences on a portion of its information technology (IT) systems,” according to a filing with the U.S. Securities and Exchange Commission. VF Corp reported that it is investigating the cybersecurity incident.

The SEC disclosure came on Dec. 15, the first day that registrants became required to disclose material cybersecurity incidents they experience. They also have to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.

In its filing, VF Corp. said it immediately began taking steps to contain, assess and remediate the incident “upon detecting the unauthorized occurrences.” Those steps included VF Corp. beginning an investigation with “leading external cybersecurity experts,” beginning a response plan and shutting down “some systems,” the company reported in its SEC filing.

“The threat actor disrupted the company’s business operations by encrypting some IT systems,” VF Corp. wrote. The threat actor also “stole data from the company, including personal data. The company is working to bring the impacted portions of its IT systems back online and implement workarounds for certain offline operations with the aim of reducing disruption to its ability to serve its retail and brand ecommerce consumers and wholesale customers.”

VF Corp. is No. 36 in the Top 1000. The database is Digital Commerce 360’s ranking of the largest North American online retailers by annual web sales. In addition to Vans, VF Corp. also owns The North Face, Timberland, Supreme, Wrangler, Lee, Nautica, Dickies and JanSport, among other brands.


Impact of VF Corp. cyberattack on ecommerce

VF Corp.-operated retail stores remain open globally, the company said. And whereas consumers can purchase available merchandise, the company wrote, VF Corp. is experiencing certain operational disruptions as a result of the cyberattack.

“Consumers are able to place orders on most of the brand ecommerce sites globally,” VF Corp. wrote. “However, the company’s ability to fulfill orders is currently impacted.”

VF Corp. did not reveal the extent of the cyberattack on its ecommerce fulfillment.

Chester Wisniewski, director, global field CTO, at Sophos, a cybersecurity services company, said ransom attacks targeting the retail sector during the winter holiday shopping season are par for the course, but at this busy time they’re particularly damaging.


“For VF Corp., this attack is a bit of a triple-whammy,” Wisniewski said. “Not only are they fighting an active attack during their busiest period; they are also the first to report under the new SEC guidelines, drawing even more attention to their incident.”

Wisniewski said the “good news” is that the company has minimized the impacts at its retail locations. But the cyberattack has impacted the VF Corp.’s fulfillment operations.

“They have stated that personal data was stolen, but it is too early to tell whether it impacts their customers,” Wisniewski said.

Holiday cyberattacks continue to affect online retailers

Around the same time last month, 23andMe Inc., Staples Inc. and Henry Schein Inc. faced cyberattacks. Those attacks, in and around the busy Cyber 5 holiday shopping period, put customers’ privacy at risk. Staples ranks No. 14 in the Top 1000. 23andMe is No. 317.


Those three incidents are not all the same, though, according to Jon Marler, cyber evangelist at VikingCloud, a cybersecurity and compliance company. Marler and his team develop solutions for clients to deal with evolving cyber threats.

The 23andMe incident was not a data breach in the traditional sense, he said, based on publicly available information. According to the company’s statements, the culprit (or culprits) stole customer data, but they did so by exfiltrating via credential stuffing, Marler said.

Meanwhile, the Staples and Henry Schein attacks appear to have been detected internally, he said, leading the companies to initiate incident responses.

Do you rank in our database?

Submit your data with this quick survey and we’ll see where you fit in our next ranking update.

Sign up

Stay on top of the latest developments in the ecommerce industry. Sign up for a complimentary subscription to Digital Commerce 360 Retail NewsFollow us on LinkedInTwitter and Facebook. Be the first to know when Digital Commerce 360 publishes news content.