Breach taxonomy
Summary
On December 13, 2023, VF Corporation (parent of Vans, The North Face, Supreme, and other brands) detected a ransomware attack that encrypted IT systems and exfiltrated data including personal data. VF-operated retail stores globally remained open and most e-commerce sites could accept orders, but order fulfillment capabilities were significantly impacted. The incident was determined to have a material impact on business operations. The company engaged leading external cybersecurity experts and cooperated with federal law enforcement.
Tagging rationale
ThreatUnknown
Filing does not attribute the incident to any specific threat actor → UNKNOWN.
MethodsRansomwareData Exfil
Filing explicitly states the threat actor encrypted IT systems (ransomware) and stole data including personal data (data exfiltration).
AssetsPersonal DataRevenue Process
Filing discloses that the threat actor encrypted IT systems (disrupting revenue-generating operations) and stole data including personal data.
EffectsBiz InterruptionInfo Privacy Loss
Encryption of systems disrupted order fulfillment globally causing significant business interruption; personal data was stolen causing information privacy loss.
Business continuityFailed
Filing states order fulfillment is significantly impacted with material ongoing business impact and no restoration timeline disclosed; VF-operated retail open but fulfillment disrupted → Failed.
Impact
Ransomware encrypted IT systems and stole personal data at a major consumer goods company (Vans, North Face, Supreme brands), disrupting global order fulfillment with material disclosed impact during the holiday shopping season.
InsuranceNot disclosed
Filing makes no mention of insurance.
Read the original SEC filing excerpt
Item 1.05 Material Cybersecurity Incidents. On December 13, 2023, VF Corporation detected unauthorized occurrences on a portion of its information technology systems. Upon detecting the unauthorized occurrences, the Company immediately began taking steps to contain, assess and remediate the incident, including beginning an investigation with leading external cybersecurity experts, activating its incident response plan, and shutting down some systems. The threat actor disrupted the Company's business operations by encrypting some IT systems, and stole data from the Company, including personal data. The Company is working to bring the impacted portions of its IT systems back online and implement workarounds for certain offline operations with the aim of reducing disruption to its ability to serve its retail and brand e-commerce consumers and wholesale customers. VF-operated retail stores globally are open, and consumers can purchase available merchandise, but VF is experiencing certain operational disruptions. Consumers are able to place orders on most of the brand e-commerce sites globally, however, the Company's ability to fulfill orders is currently impacted. The Company, along with its external cybersecurity experts, continues to work diligently to respond to and mitigate the impact from the incident, and has notified and is cooperating with federal law enforcement. As of the date of this filing, the incident has had and is reasonably likely to continue to have a material impact on the Company's business operations until recovery efforts are completed.