Clothing and footwear giant VF Corporation is letting 35.5 million of its customers know they may find themselves victims of identity theft following last year's security breach.

In an email to customers, the Vans and North Face parent promised that crooks didn't swipe their credit card or bank account details. 

And, it added, there's "no evidence" suggesting any stolen personal info, including names, emails, addresses, and phone numbers, has been used for nefarious purposes.

"However, it cannot be excluded that, also depending on the specific personal data exposed for a given consumer, the incident may result in attempts of identity theft, phishing and possibly fraud in general," the notice continued.

The records were accessed or taken during a digital break-in that VF disclosed on December 13. The intrusion disrupted the clobber maker's operations and its ability to keep people in fancy outerwear. 

While VF didn't call the cybersecurity incident ransomware at the time, the wording it used to detail the intrusion in a regulatory filing made it sound an awful lot like a ransomware infection with an extortion demand.

A month later, in an updated  8-K filing with the US Securities and Exchange Commission (SEC), the apparel slinger disclosed that 35.5 million of its customers were hit by the IT security breach, but played coy about what data the crooks likely stole during the attack.

A VF spokesperson declined to answer The Register's earlier inquiries about the intrusion, including whether the attack was a ransomware infection and how much data was pilfered in the break-in, but a spokesperson did send the following statement:

"VF never collects or retains any detailed payment or financial information, such as bank account or credit card information, so no such information was exposed to the threat actors. Furthermore, no consumers’ passwords were compromised. Please note that formal investigations by competent authorities are still ongoing. For this reason, we are unable to provide further details."

However, we now have a slightly better idea about what those miscreants got their hands on from the privacy breach notification emails alerting customers that "some personal information," including email addresses, full names, phone numbers, billing addresses and shipping addresses, was accessed.

Additionally, in some cases, the criminals swiped customers' order history, total order value, and payment method.

The Vans owner, however, again denied that miscreants stole any bank account or credit card numbers because the company will "never collect or retain in our IT systems any detailed payment/financial information."

The breach notification literally underlines this point:

Plus, it assures no one's password was exposed, "so you can rest assured that the security of your online accounts was not affected as a result of this incident."

But that shouldn't be an issue because you're not reusing account passwords, right? Right??

Regardless, it's perhaps a good idea to change your Vans password, and those for any other accounts that share the same login details. And keep an eye out for suspected phishing emails, especially messages with embedded hyperlinks and/or attachments. ®

https://www.theregister.com//2024/03/24/vans_breach_disclosure/