VF Outdoor, LLC

VF Outdoor, LLC, the parent company of brands like The North Face and Vans, suffered two separate data breaches in mid-2022. The breach at thenorthface.com was identified on August 11, 2022, stemming from a credential stuffing attack initiated on July 26, 2022, which compromised the personal information of approximately 162,823 individuals. The second breach at vans.com involved unauthorized access detected on August 20, 2022, affecting around 32,082 individuals. The attacks exploited reused or weak credentials, allowing threat actors to gain access to customer accounts. While the exact type of data exposed was not fully detailed, such breaches typically involve personal identifiable information (PII), including names, email addresses, and potentially payment or account details. The incidents highlight vulnerabilities in authentication mechanisms, exposing customers to risks like identity theft, phishing, or fraudulent transactions. No ransomware was reported, but the scale and nature of the breach suggest significant reputational and financial repercussions for the company, along with potential regulatory scrutiny under data protection laws like CCPA (California Consumer Privacy Act).

Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-556917

TPRM report: https://www.rankiteo.com/company/vf-corporation

"id": "vf-335091725",
"linkid": "vf-corporation",
"type": "Breach",
"date": "7/2022",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': '162,823',
                        'industry': 'Retail (Apparel & Footwear)',
                        'location': 'California, USA',
                        'name': 'VF Outdoor, LLC (The North Face)',
                        'type': 'E-commerce'},
                       {'customers_affected': '32,082',
                        'industry': 'Retail (Apparel & Footwear)',
                        'location': 'California, USA',
                        'name': 'VF Outdoor, LLC (Vans)',
                        'type': 'E-commerce'}],
 'attack_vector': ['Credential Stuffing', 'Unauthorized Access'],
 'data_breach': {'number_of_records_exposed': ['162,823', '32,082'],
                 'personally_identifiable_information': True},
 'date_detected': ['2022-08-11', '2022-08-20'],
 'description': 'The California Office of the Attorney General reported that '
                'VF Outdoor, LLC experienced data breaches at thenorthface.com '
                'and vans.com. The breach at thenorthface.com was detected on '
                'August 11, 2022, involving a credential stuffing attack that '
                'began on July 26, 2022, and affected approximately 162,823 '
                'individuals. The vans.com breach involved unauthorized access '
                'detected on August 20, 2022, impacting around 32,082 '
                'individuals.',
 'impact': {'data_compromised': True,
            'identity_theft_risk': True,
            'systems_affected': ['thenorthface.com', 'vans.com']},
 'post_incident_analysis': {'root_causes': ['Credential Stuffing',
                                            'Unauthorized Access']},
 'references': [{'source': 'California Office of the Attorney General'}],
 'regulatory_compliance': {'regulatory_notifications': ['California Office of '
                                                        'the Attorney '
                                                        'General']},
 'response': {'law_enforcement_notified': True},
 'title': 'Data Breaches at VF Outdoor, LLC (The North Face and Vans)',
 'type': ['Data Breach', 'Credential Stuffing', 'Unauthorized Access']}

VF Outdoor, LLC

OCHIN Inc. and Baltimore City Health Department: Baltimore City Health Department investigating data breach involving third-party system

Google: Gmail password warning issued as 48 million logins are exposed

FullBeauty Brands, Inc., CUUP, ELOQUII and Jessica London: FullBeauty Brands Data Breach Investigation