Nearly 3,000 customer accounts on The North Face website were breached in April, according to VF Outdoor, the parent company of The North Face, JanSport, and Timberland. The company disclosed the incident through breach notification letters filed in Vermont and Maine, revealing that 2,861 customers were affected.
Unusual activity was first identified on April 23, prompting an investigation. VF Outdoor confirmed the breach was the result of a credential stuffing attack, where stolen login details from unrelated data breaches were used to access North Face accounts.
“Based on our investigation, we believe that the attacker previously gained access to your email address and password from another source (not from us) and then used those same credentials to access your account on our website,” VF Outdoor stated in its notification.
While the company said the compromised information does not require mandatory notification under current data breach laws, customers are being informed out of an “abundance of caution.” Exposed data includes names, addresses, telephone numbers, dates of birth, and purchase histories. However, VF Outdoor assured customers that payment card data was not exposed, as those details are handled by a third-party payment processor. The only payment-related information stored on The North Face site is a token that is useless outside of their own platform.
Following the breach, the company disabled all user passwords and required affected customers to reset their credentials. Customers were also advised to change passwords on other platforms if they used the same credentials, as these may now be compromised. Despite the breach, VF Outdoor will not offer identity protection services to impacted users.
This incident mirrors a previous credential stuffing attack disclosed by VF Outdoor in 2022, which affected nearly 200,000 customers. The company has also faced broader cybersecurity challenges, including a “material” ransomware attack in December 2023 that disrupted operations and hindered its ability to fulfill customer orders. That attack was one of the first reported under a new U.S. Securities and Exchange Commission rule requiring timely disclosure of significant cybersecurity incidents.
The breach at The North Face is part of a broader surge in cyberattacks on retail companies. Recently, women’s fashion brand Victoria’s Secret suffered a cyber incident that disrupted internal systems and delayed its first-quarter earnings release. Cartier also issued a notice this week regarding a cyberattack that compromised customer data, while Adidas, Dior, and Tiffany reported similar breaches within the past two weeks.
These events are reportedly part of a months-long campaign by the cybercriminal group Scattered Spider, which has shifted its focus from U.K.-based targets to companies in the United States. In response, the FBI has been delivering cyber-intelligence briefings to major retailers over the past month.
Earlier victims of Scattered Spider’s attacks in the U.K. include Marks & Spencer, the Co-op, and luxury department store Harrods, highlighting the increasingly global scope of the threat to the retail industry.
Related Topics
- Frame Partners with Sotheby’s for Limited-Edition Capsule Collection Inspired by 1980s New York
- Simone Biles Playfully Roasts Kylie Jenner Over Oversized Blazer: “This is a Crime!”
- Shein Named Top Fashion Polluter as H&M Leads in Supplier Decarbonisation Efforts
