The IT Nerd

VF Corp., the parent company of the apparel brands Vans, Supreme, and The North Face, reported in an SEC filing that hackers stole the personal data of 35.5 million customers in a December cyberattack.

The filing did not say specifically what kinds of personal data was taken or if any corporate data was stolen but VF Corp said it does not retain consumer Social Security numbers, bank account information, or payment card information for its consumer businesses.

VF said in December, at the time of the incident, that it had experienced operational disruptions and its “ability to fulfill orders” and in its Thursday filing, they said the company is “still experiencing minor residual impacts from the cyber incident,” but that it has caught up on fulfilling orders that were delayed. 

Al Martinek, Customer Threat Analyst, Horizon3.ai:

   “While accurately predicting the actions of cyber threat actors is challenging, especially during the holiday season, it is imperative to remain vigilant to ensure the security of your systems and networks. Cyber vigilance becomes even more critical in safeguarding personal and financial information, given the increased online activities and festive shopping that create opportunities for cyber threats and scams. As we have seen, no matter how big or small a company is, threat actors will likely continue to focus on targets of opportunity and take advantage of complacent company manning and low staff. Additionally, increased online shopping creates a perfect environment for scammers to mask themselves among the chaos.  

   “Threat actors steal data, exploit weak credentials, and ultimately find any way possible to disrupt company operations during times of amplified cyber traffic. Adopting a proactive, autonomous approach that involves identifying, addressing, and validating exploitable vulnerabilities serves as the primary defense against cyber threats for any organization. Solutions such as continuous penetration testing not only deliver prompt results for addressing crucial issues but also save valuable time and stress for security teams. This approach allows for timely mitigations and verifications, providing organizations with the necessary peace of mind in keeping sensitive information out of enemy hands and networks hardened against attacks.”

Stephen Gates, Principal Security SME, Horizon3.ai:

   “The outcomes noted here are a classic example of human-operated, ransom-based attacks. The likelihood of attackers gaining and maintaining their footholds in the victim’s networks is all too apparent.

   “In 2024, organizations must find the weaknesses in their networks that are enabling these attacks to begin, then progress like a tumor. Most of the time, the weaknesses being exploited are not CVEs. Instead, they are easily compromised and reused credentials, effortlessly discovered and unprotected data, software and hardware misconfigurations, poorly implemented security controls, and weak and/or unenforceable security policies.

   “These oversights and error conditions are one of the biggest reasons why the SEC new rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats.

   “If you are not continuously assessing your internal, external, and cloud infrastructures, you likely will not be able to identify and manage material risks from cybersecurity threats. The real key is to continuously assess yourself before attackers do it for you.”

Craig Harber, Security Evangelist: Open Systems:

   “The company’s filing this week confirms the extent of the December data breach, 3.5 million customers plus the initial disruption of business operations caused by encrypting IT systems. The disruption appears to have been limited to the company’s ability to fulfill orders, but this was the peak delivery season, right before Christmas. The attackers certainly were hoping to take advantage of this.

   “Fulfillment uncertainty impacts customer confidence in the company’s ability to deliver items on time during the holiday season. Not surprisingly, VF Corporation’s share price tumbled on the news of the cyberattack based on project revenue losses, erosion of customer confidence, and long-term reputational damage to its brand.

   “Cyberattacks are inevitable in today’s environment. Companies must be prepared to respond when it happens. Preparation includes coping with internal efforts to contain, assess, and mitigate active threats while maintaining business operations and adhering to regulatory compliance reporting requirements.

   “The SEC Incident Disclosure Regulations that went into effect on Dec. 15th means that waiting until a cyberattack is underway to roll out your incident response plan is no longer an option. Companies must have effective cybersecurity plans in place to prevent cyberattacks, minimize the damage they cause and comply with regulatory requirements to ensure that they are not penalized for non-compliance.”

Mark Cooper, President & Founder, PKI Solutions:

   “One method that organizations often overlook in protecting sensitive customer and business information is a strong encryption and identifying process. When information is maintained in an encrypted state, even if hackers steal or re-encrypt the information, the original data is protected from disclosure. As we have seen more and more lately, hackers are releasing information despite payment from their victims. To protect that data, organizations should be leveraging aggressive encryption programs proactively.”

With a count of 35 million people affected, this is a non-trivial event. And seeing as my wife recently bought a North Face jacket, we’ll be checking to see if she’s been affected. Unfortunately that’s now how the world is where you expect your data to leak because of a hack and all you can do is brace for impact. This is why companies and anyone else who has your data must do better to protect it.

According to Bloomberg, last year unknown hackers stole $7.5 million from the Department of Health and Human Services by taking over email accounts belonging to the grant recipients and tricking federal employees into transferring funds to malicious accounts.

The payment management system platform that the hackers accessed serves eight other departments, including the Pentagon and the Treasury Department, in addition to the White House, NASA and the Small Business Administration.

Sadly, $1.5 million of the stolen money was intended to fund health care for “the nation’s highest-need communities.”

The news outlet also reported that White House officials were disappointed by Health and Human Services for their lack of urgency in handling of the intrusions. Health and Human Services has since referred the incident to the Office of the Inspector General who claims to be taking it very seriously.

Emily Phelps, VP, Cyware had this comment:

   “Given the highly sensitive and valuable data these departments manage, especially when it involves funds for essential services like health care, the risk of cyberattacks cannot be underestimated. This incident not only showcases the vulnerabilities in current systems but also emphasizes the necessity for government agencies to be equipped with advanced tools and real-time intelligence to preemptively identify and combat such threats. Strengthening cybersecurity infrastructure and ensuring immediate and informed responses to cyber threats are imperative to safeguard public sector data and resources.”

The fact that HHS didn’t have the sense of urgency that should be expected after this hack and theft happened is disappointing. Hopefully those who were asleep at the switch are dealt with accordingly.