Cyber Incident Victim: Vibram S.p.A.

In August 2014, Vibram USA disclosed a cybersecurity incident affecting customers who made online purchases on vibramfivefingers.com between June 6 and July 7 of that year. The breach occurred when a third-party hosting provider responsible for processing the company's e-commerce transactions suffered unauthorized access. This intrusion exposed customers' credit card information used during online purchases within the impacted 31-day window. Vibram initiated direct mail notifications to affected customers starting August 6, accompanied by a PDF letter detailing the compromise. The company confirmed that stolen data specifically included credit card numbers but did not disclose the total number of impacted individuals or whether additional personal information was accessed. No technical details about the attack vector, attacker identity, or intrusion detection timeline were provided in the notification.

Vibram implemented two primary remediation measures following the breach: terminating its relationship with the compromised hosting provider and migrating its hosting services to an unnamed alternative vendor. The company also offered affected customers one year of complimentary credit monitoring through Experian’s ProtectMyID service. This incident occurred within a month of Vibram finalizing a $3.75 million settlement in a class-action lawsuit alleging deceptive marketing practices regarding health benefits of their FiveFingers footwear. While the settlement involved no admission of liability by Vibram, the consecutive occurrence of legal resolution and data breach amplified scrutiny of the company’s operational controls. No post-breach fraud incidents or direct financial impacts on customers were documented in the available notification materials.