- VF Corp. experienced a cybersecurity attack last week that resulted in stolen data, including personal data, according to an 8-K filing with the U.S. Securities and Exchange Commission.
- The company said customers can place orders on most of its brands’ e-commerce sites globally, but VF’s ability to fulfill the orders is impacted by the incident.
- While the investigation of the attack is ongoing, VF said in the filing the incident “has had and is reasonably likely to continue to have a material impact on the Company’s business operations until recovery efforts are completed.”
In the filing, the company said it hadn’t yet determined whether the incident would materially impact the financial condition or result of operations of VF.
“VF, along with its external cybersecurity experts, continues to work diligently to respond to and mitigate the impact from this incident and has notified, and is cooperating with, federal law enforcement,” a company spokesperson said in an email to Fashion Dive. “The Company will continue to review its security measures to look for opportunities to strengthen resiliency in an ever-evolving threat landscape.”
VF detected “unauthorized occurrences” in its IT systems on Dec. 13, per the filing, and began an investigation into the incident which included shutting down some systems. The threat actor encrypted some IT systems. Neither the filing nor the VF spokesperson provided more detailed information on the stolen data.
The filing stated that VF is working to bring the impacted portions of its IT system online and create workarounds for certain offline operations “with the aim of reducing disruption to its ability to serve its retail and brand e-commerce consumers and wholesale customers.”
VF’s operated stores are open globally, and customers can still purchase merchandise, but the filing noted that it is experiencing “certain operational disruptions.”
It’s hard to know how damaging the incident will be to VF due to the information in the filing, but it could be significant, according to David Swartz, senior equity analyst for Morningstar Research Services.
“The timing is obviously terrible, coming a week before Christmas,” Swartz said in an email to Fashion Dive. “Companies have mitigation plans in place to try to limit the damage in case of an attack, but they can’t plan for everything.”
Last year, HanesBrands experienced a ransomware attack that reportedly cost about $100 million in global sales. However, it recovered some of that loss from a $20.5 million insurance payment.
Swartz noted that the SEC’s cybersecurity disclosure rules announced in 2022 may have prompted VF to file the 8-K more quickly than it may have in the past.
“Historically, companies have been very inconsistent on disclosing cyberattacks, and sometimes they would not disclose them at all,” Swartz said.
The news comes as VF, which owns brands including Vans, Timberland and Dickies, is undergoing a transformation program. The plan is meant to bolster its brand building, execution and sales in North America, as well as turnaround the Vans brand, which has been a pain point for the apparel conglomerate.
It reported $3 billion in revenue in its most recent quarterly earnings in October, a 2% decrease from the same period the previous year.