Posted 4 March 2024
VANS / Napapijri / Eastpak 'VF Group' Data Incident (Maybe others)
Just a heads up, had the following email regarding a 'Data Incident' :/ Had two seperate emails from the brands below (So far)
Looking like it's affected various brands, in the VF Group, including VANS, Napapijri and possibly others.
VF Group Brands
Regardless, of what's said below, i'd suggest resetting your passwords ASAP.
Dear Customer,
We are writing to inform you about a recent data incident which involved some of your personal information held by the VF Group, of which Vans is part.
Below, you will find information about what happened, how we responded to the incident, how you may be impacted, what to do if you are concerned about your data and how you can contact us for more information.
What happened and how we reacted?
On December 13, we detected unauthorized activities on a part of our IT systems, apparently carried out by external threat actors.
Upon detecting the unauthorized activities, we immediately took steps to contain, assess and remediate the incident, including activating our internal incident response plan, hiring leading external cybersecurity experts to support with response activities and temporarily shutting down all IT systems that might be affected.
By December 15, we were able to complete the ejection of the unauthorized actors from our IT environment and we have now substantially restored all impacted IT systems and operations.
We have promptly involved the competent law enforcement agencies, that are supporting us with investigations, and we already notified the competent Data Protection Authority, as required under applicable law.
What personal data of yours might have been affected?
Our investigation revealed that the incident has affected some personal information of our customers, that we normally store and process in order to manage online purchases, such as email address, full name, phone number, billing address, shipping address. In certain cases, the affected data may also include order history, total order value, information about what payment method was used for the purchases.
Please note that, in any event, we never collect or retain in our IT systems any detailed payment/financial information, such as, for example, bank account or credit card information, so there is no chance that any detailed financial information was exposed to the threat actors. The information we hold is only what payment method was used for the purchases (for example “credit card”, “Paypal”, or “bank account payment”), with no additional details attached.
We can also confirm that no consumers’ passwords were exposed to the threat actors, so you can rest assured that the security of your online accounts was not affected as a result of this incident.
The evidence collected indicates that the affected data set may include one or more of the above personal data categories relating to you, since you previously interacted online with Vans, and possibly with other Brands belonging to the VF Group.
What does this mean for you?
At the moment, we have no evidence suggesting any actual impact on any individual consumer whose personal data were part of the affected data set.
However, it cannot be excluded that, also depending on the specific personal data exposed for a given consumer, the incident may result in attempts of identity theft, phishing and possibly fraud in general.
Below you can find some measures that you may consider adopting to protect yourself:
Carefully consider every email, SMS, instant message and telephone call where you get asked for your personal details, even if they appear to come from our company: please note that, normally, we will never ask you to provide any personal information via such channels;
Watch out to emails containing embedded hyperlinks, which may be used to direct you to malicious websites;
Carefully consider emails which contain unexpected attachments;
Be wary of any suspicious email, even if they appear to come from people you know or from our company, for example emails with improper grammar/spelling or sloppy language.
How can you contact us?
We value your privacy, which is our priority. We will continue to actively monitor the situation and act promptly to protect your personal data.
We will also continue to review our cybersecurity policies and procedures and technological capabilities to look for opportunities to strengthen resiliency, in line with the ever-evolving threat landscape.
For any concerns about what happened or to have further information, please contact our dedicated incident response line for EMEA, at incidentcare_en@vfc.com.
Yours sincerely,
The Vans Team
Looking like it's affected various brands, in the VF Group, including VANS, Napapijri and possibly others.
VF Group Brands
Regardless, of what's said below, i'd suggest resetting your passwords ASAP.
Dear Customer,
We are writing to inform you about a recent data incident which involved some of your personal information held by the VF Group, of which Vans is part.
Below, you will find information about what happened, how we responded to the incident, how you may be impacted, what to do if you are concerned about your data and how you can contact us for more information.
What happened and how we reacted?
On December 13, we detected unauthorized activities on a part of our IT systems, apparently carried out by external threat actors.
Upon detecting the unauthorized activities, we immediately took steps to contain, assess and remediate the incident, including activating our internal incident response plan, hiring leading external cybersecurity experts to support with response activities and temporarily shutting down all IT systems that might be affected.
By December 15, we were able to complete the ejection of the unauthorized actors from our IT environment and we have now substantially restored all impacted IT systems and operations.
We have promptly involved the competent law enforcement agencies, that are supporting us with investigations, and we already notified the competent Data Protection Authority, as required under applicable law.
What personal data of yours might have been affected?
Our investigation revealed that the incident has affected some personal information of our customers, that we normally store and process in order to manage online purchases, such as email address, full name, phone number, billing address, shipping address. In certain cases, the affected data may also include order history, total order value, information about what payment method was used for the purchases.
Please note that, in any event, we never collect or retain in our IT systems any detailed payment/financial information, such as, for example, bank account or credit card information, so there is no chance that any detailed financial information was exposed to the threat actors. The information we hold is only what payment method was used for the purchases (for example “credit card”, “Paypal”, or “bank account payment”), with no additional details attached.
We can also confirm that no consumers’ passwords were exposed to the threat actors, so you can rest assured that the security of your online accounts was not affected as a result of this incident.
The evidence collected indicates that the affected data set may include one or more of the above personal data categories relating to you, since you previously interacted online with Vans, and possibly with other Brands belonging to the VF Group.
What does this mean for you?
At the moment, we have no evidence suggesting any actual impact on any individual consumer whose personal data were part of the affected data set.
However, it cannot be excluded that, also depending on the specific personal data exposed for a given consumer, the incident may result in attempts of identity theft, phishing and possibly fraud in general.
Below you can find some measures that you may consider adopting to protect yourself:
Carefully consider every email, SMS, instant message and telephone call where you get asked for your personal details, even if they appear to come from our company: please note that, normally, we will never ask you to provide any personal information via such channels;
Watch out to emails containing embedded hyperlinks, which may be used to direct you to malicious websites;
Carefully consider emails which contain unexpected attachments;
Be wary of any suspicious email, even if they appear to come from people you know or from our company, for example emails with improper grammar/spelling or sloppy language.
How can you contact us?
We value your privacy, which is our priority. We will continue to actively monitor the situation and act promptly to protect your personal data.
We will also continue to review our cybersecurity policies and procedures and technological capabilities to look for opportunities to strengthen resiliency, in line with the ever-evolving threat landscape.
For any concerns about what happened or to have further information, please contact our dedicated incident response line for EMEA, at incidentcare_en@vfc.com.
Yours sincerely,
The Vans Team
Community Updates
13 Comments
sorted by