Vans, Supreme owner VF Corp. says personal data stolen and orders impacted in suspected ransomware attack

VF Corporation, the U.S.-based owner of apparel brands including Vans, Supreme, and The North Face, has confirmed a cyberattack has impacted the company’s ability to fulfill orders ahead of Christmas, one of the biggest retail events of the year.

The Denver, Colorado-based corporation said in a filing with federal regulators that the cyberattack, which the company first detected on December 13, saw hackers disrupt the company’s operations “by encrypting some IT systems, and stole data from the company, including personal data,” implying a ransomware attack.

As a result, the company says it continues to experience operational disruptions, including its “ability to fulfill orders.”

When TechCrunch attempted to place an order on the Vans website, a message read: “Apologies, due to logistical disruption, the estimated delivery dates shown in the checkout process are incorrect. You will be notified by email when your item ships and can then track it with the shipper.”

VF Corp. said in its filing that the retail stores it operates globally are open, and that consumers can purchase available merchandise online. It’s unclear when orders are expected to ship, and a company spokesperson did not say when.

When reached by email, VF Corp. spokesperson Colin Wheeler provided TechCrunch with a statement that echoed the company’s filing with regulators. The company did not answer TechCrunch’s questions about the incident, nor would it say whether the company had received a ransom demand from the hackers.

The company has not yet said how it was compromised, what kinds of data was accessed, and how many individuals — whether employees, customers, or both — are affected by the breach. It’s also not known who was behind the attack, which has not yet been claimed by any tracked ransomware group.

In its regulatory filing, VF Corp. warned that the cyberattack would have a “material impact” on its business until its systems are recovered. “As the investigation of the incident is ongoing, the full scope, nature and impact of the incident are not yet known,” the filing states.

VF Corp disclosed the incident on the same day that the U.S. Securities and Exchange Commission’s new data breach disclosure rules came into force. This regulation means that organizations must report cybersecurity incidents, including data breaches, to the federal government’s securities regulator within four business days.