- VF Corp. was hit by a cyberattack last week that resulted in the theft of data, including personal information, according to an 8-K filing with the U.S. Securities and Exchange Commission Monday.
- Customers can place orders on most of its brands’ e-commerce sites globally, which include Vans and The North Face, but VF’s ability to fulfill orders is impacted by the incident, the company said.
- While the investigation of the attack is ongoing, VF said in the filing the incident “has had and is reasonably likely to continue to have a material impact on the company’s business operations until recovery efforts are completed.”
VF Corp. has not determined if the cyberattack will take a material hit on its finances or “results of operations,” the company said in the filing.
“VF, along with its external cybersecurity experts, continues to work diligently to respond to and mitigate the impact from this incident and has notified, and is cooperating with, federal law enforcement,” a company spokesperson said in an email to Fashion Dive. “The company will continue to review its security measures to look for opportunities to strengthen resiliency in an ever-evolving threat landscape.”
VF detected “unauthorized occurrences” in its IT systems on Dec. 13, per the filing, and began an investigation into the incident which included shutting down some systems. The threat actor encrypted some IT systems.
Neither the filing nor the VF spokesperson provided more detailed information on the stolen data.
VF is working to bring the impacted portions of its IT system online and create workarounds for certain offline operations “with the aim of reducing disruption to its ability to serve its retail and brand e-commerce consumers and wholesale customers,” the company said.
VF’s operated stores are open globally, and customers can still purchase merchandise, but the filing noted that it is experiencing “certain operational disruptions.”
It’s hard to know how damaging the incident will be to VF due to the information in the filing, but it could be significant, according to David Swartz, senior equity analyst for Morningstar Research Services.
“The timing is obviously terrible, coming a week before Christmas,” Swartz said in an email to Fashion Dive. “Companies have mitigation plans in place to try to limit the damage in case of an attack, but they can’t plan for everything.”
Last year, HanesBrands experienced a ransomware attack that reportedly cost about $100 million in global sales. However, it recovered some of that loss from a $20.5 million insurance payment.
Swartz noted that the SEC’s cybersecurity disclosure rules, which went into effect in September, may have prompted VF to file the 8-K more quickly than it may have in the past.
“Historically, companies have been very inconsistent on disclosing cyberattacks, and sometimes they would not disclose them at all,” Swartz said.
The news comes as VF, which owns brands Timberland and Dickies is undergoing a transformation program. The plan is meant to bolster its brand building, execution and sales in North America, as well as turnaround the Vans brand, which has been a pain point for the apparel conglomerate.
It reported $3 billion in revenue in its most recent quarterly earnings in October, a 2% decrease from the same period the previous year.