Posted 1 day ago
The North Face: Information About Data Incident
Got an email to say there has been a breach and my data may be implicated.
We are writing to inform you about a recent data incident which involved some of your personal information held by the VF Group, of which The North Face is part.
Below, you will find information about what happened, how we responded to the incident, how you may be impacted, what to do if you are concerned about your data and how you can contact us for more information.
What happened and how we reacted?
On December 13, we detected unauthorized activities on a part of our IT systems, apparently carried out by external threat actors.
Upon detecting the unauthorized activities, we immediately took steps to contain, assess and remediate the incident, including activating our internal incident response plan, hiring leading external cybersecurity experts to support with response activities and temporarily shutting down all IT systems that might be affected.
By December 15, we were able to complete the ejection of the unauthorized actors from our IT environment and we have now substantially restored all impacted IT systems and operations.
We have promptly involved the competent law enforcement agencies, that are supporting us with investigations, and we already notified the competent Data Protection Authority, as required under applicable law.
What personal data of yours might have been affected?
Our investigation revealed that the incident has affected some personal information of our customers, that we normally store and process in order to manage online purchases, such as email address, full name, phone number, billing address, shipping address. In certain cases, the affected data may also include order history, total order value, information about what payment method was used for the purchases.
Please note that, in any event, we never collect or retain in our IT systems any detailed payment/financial information, such as, for example, bank account or credit card information, so there is no chance that any detailed financial information was exposed to the threat actors. The information we hold is only what payment method was used for the purchases (for example “credit card”, “Paypal”, or “bank account payment”), with no additional details attached.
We can also confirm that no consumers’ passwords were exposed to the threat actors, so you can rest assured that the security of your online accounts was not affected as a result of this incident.
The evidence collected indicates that the affected data set may include one or more of the above personal data categories relating to you, since you previously interacted online with The North Face, and possibly with other Brands belonging to the VF Group.
What does this mean for you?
At the moment, we have no evidence suggesting any actual impact on any individual consumer whose personal data were part of the affected data set.
However, it cannot be excluded that, also depending on the specific personal data exposed for a given consumer, the incident may result in attempts of identity theft, phishing and possibly fraud in general.
Below you can find some measures that you may consider adopting to protect yourself:
Carefully consider every email, SMS, instant message and telephone call where you get asked for your personal details, even if they appear to come from our company: please note that, normally, we will never ask you to provide any personal information via such channels;Watch out to emails containing embedded hyperlinks, which may be used to direct you to malicious websites;Carefully consider emails which contain unexpected attachments;Be wary of any suspicious email, even if they appear to come from people you know or from our company, for example emails with improper grammar/spelling or sloppy language.
What should we do as consumers to ensure only the minimum information about us is stored for a short term period?
We are writing to inform you about a recent data incident which involved some of your personal information held by the VF Group, of which The North Face is part.
Below, you will find information about what happened, how we responded to the incident, how you may be impacted, what to do if you are concerned about your data and how you can contact us for more information.
What happened and how we reacted?
On December 13, we detected unauthorized activities on a part of our IT systems, apparently carried out by external threat actors.
Upon detecting the unauthorized activities, we immediately took steps to contain, assess and remediate the incident, including activating our internal incident response plan, hiring leading external cybersecurity experts to support with response activities and temporarily shutting down all IT systems that might be affected.
By December 15, we were able to complete the ejection of the unauthorized actors from our IT environment and we have now substantially restored all impacted IT systems and operations.
We have promptly involved the competent law enforcement agencies, that are supporting us with investigations, and we already notified the competent Data Protection Authority, as required under applicable law.
What personal data of yours might have been affected?
Our investigation revealed that the incident has affected some personal information of our customers, that we normally store and process in order to manage online purchases, such as email address, full name, phone number, billing address, shipping address. In certain cases, the affected data may also include order history, total order value, information about what payment method was used for the purchases.
Please note that, in any event, we never collect or retain in our IT systems any detailed payment/financial information, such as, for example, bank account or credit card information, so there is no chance that any detailed financial information was exposed to the threat actors. The information we hold is only what payment method was used for the purchases (for example “credit card”, “Paypal”, or “bank account payment”), with no additional details attached.
We can also confirm that no consumers’ passwords were exposed to the threat actors, so you can rest assured that the security of your online accounts was not affected as a result of this incident.
The evidence collected indicates that the affected data set may include one or more of the above personal data categories relating to you, since you previously interacted online with The North Face, and possibly with other Brands belonging to the VF Group.
What does this mean for you?
At the moment, we have no evidence suggesting any actual impact on any individual consumer whose personal data were part of the affected data set.
However, it cannot be excluded that, also depending on the specific personal data exposed for a given consumer, the incident may result in attempts of identity theft, phishing and possibly fraud in general.
Below you can find some measures that you may consider adopting to protect yourself:
Carefully consider every email, SMS, instant message and telephone call where you get asked for your personal details, even if they appear to come from our company: please note that, normally, we will never ask you to provide any personal information via such channels;Watch out to emails containing embedded hyperlinks, which may be used to direct you to malicious websites;Carefully consider emails which contain unexpected attachments;Be wary of any suspicious email, even if they appear to come from people you know or from our company, for example emails with improper grammar/spelling or sloppy language.
What should we do as consumers to ensure only the minimum information about us is stored for a short term period?
Community Updates
6 Comments
sorted byDickies
Altra (2018)
Eastpak (2000)
Icebreaker (2018)
And1 Lab (1999)
JanSport (1986)
Kipling (brand) (2004)
The North Face (2000)
Napapijri (2004)
SmartWool (2011)
Supreme (2020)
Timberland (2011)
Vans (2004)
Not saying they are all affected ...I wouldnt know.
Luckily my password for North Face is a google generated completely random one.
But name, address, phone number, email etc have been.
Anyone know of any solicitors out there taking on these cases?? (edited)