Cyber Incident Victim: VF Corporation

VF Corporation, parent company of retail brands including Vans and The North Face, disclosed a cyberattack in a December 1, 2023 regulatory filing that significantly disrupted operations during the critical holiday shopping period. The incident occurred the prior week, with attackers compromising IT systems and impairing the company’s order fulfillment capabilities. While online ordering remained functional, VF Corp acknowledged its inability to process and deliver customer orders normally due to system disruptions. The Denver-based company described the incident’s business impact as “material” without specifying exact financial losses. Operational disruptions persisted at the time of disclosure, with no public timeline provided for full restoration of services. The attack coincided with peak seasonal demand, amplifying potential revenue consequences across VF’s portfolio of apparel brands.

The threat actors encrypted portions of VF’s IT infrastructure and exfiltrated corporate data containing personal information, though specific data types and volumes remained undisclosed. VF proactively disabled certain systems to contain the breach’s spread while initiating forensic investigations with external cybersecurity experts. Remediation efforts included transitioning select business operations to offline processes to minimize further disruption. The company’s stock price declined approximately 4% to $19.13 in premarket trading following the disclosure, reflecting investor concerns about operational and financial repercussions. VF did not attribute the attack to any specific threat actor or disclose whether ransomware payments were demanded or made. Restoration work continued on affected IT systems with no additional details provided about long-term operational or data breach impacts.