2023-12-18 V F CORP Cybersecurity Incident

Page last updated on April 11, 2024

V F CORP initially disclosed a cybersecurity incident in an SEC 8-K filing on 2023-12-18 06:37:32 EST.

Company Summary

VF Corporation (formerly Vanity Fair Mills until 1969) is an American global apparel and footwear company founded in 1899 by John Barbey and headquartered in Denver, Colorado. The company’s 13 brands are organized into three categories: Outdoor, Active and Work. In 2015, the company controlled 55% of the U.S. backpack market with the JanSport, Eastpak, Timberland, and The North Face brands.
Source: Wikipedia

Incident Details

Material: No
Is Breach: TRUE
Records Compromised: 35,500,000
Data Types Impacted: No Data Types Tracked (yet)

Compromised Date:
Detected Date:
Disclosure Date: 2023-12-18
Contained Date: 2023-12-15
Recovered Date:

Attack Goal: Unknown

Costs: No Costs Tracked (yet)

Filings

8-K filed on 2023-12-18

V F CORP filed an 8-K at 2023-12-18 06:37:32 EST
Accession Number: 0000950123-23-011228

Item 1.05 Material Cybersecurity Incidents.

On December 13, 2023, VF Corporation (“VF” or the “Company”) detected unauthorized occurrences on a portion of its information technology (IT) systems. Upon detecting the unauthorized occurrences, the Company immediately began taking steps to contain, assess and remediate the incident, including beginning an investigation with leading external cybersecurity experts, activating its incident response plan, and shutting down some systems. The threat actor disrupted the Company’s business operations by encrypting some IT systems, and stole data from the Company, including personal data. The Company is working to bring the impacted portions of its IT systems back online and implement workarounds for certain offline operations with the aim of reducing disruption to its ability to serve its retail and brand e-commerce consumers and wholesale customers. VF-operated retail stores globally are open, and consumers can purchase available merchandise, but VF is experiencing certain operational disruptions. Consumers are able to place orders on most of the brand e-commerce sites globally, however, the Company’s ability to fulfill orders is currently impacted. The Company, along with its external cybersecurity experts, continues to work diligently to respond to and mitigate the impact from the incident, and has notified and is cooperating with federal law forcement.

As the investigation of the incident is ongoing, the full scope, nature and impact of the incident are not yet known. As of the date of this filing, the incident has had and is reasonably likely to continue to have a material impact on the Company’s business operations until recovery efforts are completed. The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.


8-K/A filed on 2024-01-18

V F CORP filed an 8-K/A at 2024-01-18 16:33:42 EST
Accession Number: 0001193125-24-010243

Explanatory Note.

This Current Report on Form 8-K/A (this “Amendment”) amends the Current Report on Form 8-K previously filed by VF Corporation (“VF”) with the Securities and Exchange Commission on December 18, 2023 (the “Original Report”). VF is filing this Amendment in order to provide supplemental information regarding the cybersecurity incident disclosed by VF in the Original Report (the “cyber incident”). Except as expressly set forth herein, this Amendment does not amend the Original Report in any way. This Amendment supplements, and should be read in conjunction with, the Original Report.

Item 1.05 Material Cybersecurity Incidents.

As disclosed in the Original Report, on December 13, 2023, VF detected unauthorized occurrences on a portion of its information technology (IT) systems. Upon detecting the unauthorized occurrences, VF immediately began taking steps to contain, assess and remediate the cyber incident, including beginning an investigation with leading external cybersecurity experts, activating its incident response plan, and shutting down some systems. As a result of these and other measures, and while VF’s investigation and remediation efforts remain ongoing, VF believes the threat actor was ejected from VF’s IT systems on December 15, 2023. VF has notified, is cooperating with, and will continue to cooperate with and notify, federal law enforcement and the relevant regulatory authorities as required under applicable law.

As of the date of this Amendment, VF-operated retail stores, brand e-commerce sites and distribution centers are operating with minimal issues. After VF shut down some of its systems, VF experienced disruption to certain of its operations, including interrupted replenishment of retail store inventory and delayed order fulfillment which had impacts such as the cancellation by customers and consumers of some product orders, reduced demand on certain of its brands’ e-commerce sites, and delay of some wholesale shipments. Since the filing of the Original Report, while VF is still experiencing minor residual impacts from the cyber incident, VF has resumed retail store inventory replenishment and product order fulfillment, and is caught up on fulfilling orders that were delayed as a result of the cyber incident. Since the filing of the Original Report, VF has substantially restored the IT systems and data that were impacted by the cyber incident, but continues to work through minor operational impacts.

Based on VF’s preliminary analysis from its ongoing investigation, VF currently estimates that the threat actor stole personal data of approximately 35.5 million individual consumers. However, VF does not collect or retain in its IT systems any consumer social security numbers, bank account information or payment card information as part of its direct-to-consumer practices, and, while the investigation remains ongoing, VF has not detected any evidence to date that any consumer passwords were acquired by the threat actor.

While the investigation remains ongoing, as of the date of this Amendment, VF believes that the material impact or reasonably likely material impact on VF is limited to the material impacts on VF’s business operations disclosed in the Original Report which are no longer ongoing at this time. As of the date of this Amendment, VF also believes the impacts of the cyber incident are not material and are not reasonably likely to be material to its financial condition and results of operations.

VF will be seeking reimbursement of costs, expenses and losses stemming from the cyber incident by submitting claims to VF’s cybersecurity insurers. The timing and amount of any such reimbursements is not known at this time.


Analyst Notes

Company Information

NameV F CORP
CIK0000103379
SIC DescriptionMen’s & Boys’ Furnishgs, Work Clothg, & Allied Garments
TickerVFC - NYSE
Website
CategoryLarge accelerated filer
Fiscal Year EndMarch 29