VF discloses data breach impacted 35.5M customers

The update provided by VF in a filing with the Securities and Exchange Commission (SEC) on Thursday marks the latest development since the company first detected unauthorized access to its information technology systems on Dec. 13. VF said it believes the threat actor was ejected from its IT systems Dec. 15 and is still working with law enforcement regarding the matter.

The 35.5 million customer total is based on the company’s preliminary analysis of its ongoing investigation, it said. The fact its IT systems were targeted by the attack might have saved certain financial information from being stolen.

“VF does not collect or retain in its IT systems any consumer Social Security numbers, bank account information, or payment card information as part of its direct-to-consumer practices,” the company said. “[W]hile the investigation remains ongoing, VF has not detected any evidence to date that any consumer passwords were acquired by the threat actor.”

VF said it is still experiencing “minor residual impacts” related to the incident but that it currently “believes the impacts of the cyber incident are not material and are not reasonably likely to be material to its financial condition and results of operations.”

That determination is critical after a new rule passed by the SEC last year took effect in December requiring public companies to disclose the nature, scope, timing, and impact of cybersecurity incidents deemed to be material within four business days. In its initial filing on Dec. 18, VF said the incident was “reasonably likely to continue to have a material impact on the company’s business operations until recovery efforts are completed.”

Other companies are also contending with the SEC’s new requirements, including First American Financial Corp. Since Dec. 22, the firm has made three disclosures related to unauthorized activity it uncovered on certain of its IT systems.