VF Corporation, owner of Vans, Supreme, and The North Face, estimated that over 35.5 million personal data from its customers were stolen during the holiday cyberattack.
According to the company's Securities and Exchange Commission Dec. 15 filing, the "threat actors" were able to steal undisclosed individual customer data via "encrypting some IT systems."
VF Corp assured that social security numbers, bank account information, or payment card information were not included in the stolen data as the company does not store it in its data banks.
Customer passwords are believed to be safe, as well.
The method of attack suggests ransomware. Cyber extortion gang ALPHV, also known as BlackCat, later claimed responsibility to the attack.
VF Corp is still investigating the incident in order to protect itself from similar attacks in the future.
BlackCat Ramps Up Cyberattacks Across the US
Just last September, a subgroup of the gang staged a ransomware attack on MGM casinos that disrupted its operations for over a month.
MGM estimated that the attacks cost its casinos $100 million from the disruption and restoration efforts, 10 times bigger than the $10 million demand from the hackers.
The group then later breached into another casino, Caesars Palace, just a week after the MGM incident.
The casino reported that the hackers were able to steal the driver's license and social security numbers of a "significant number of members in the database."
Caesars' later reports suggest that the casino paid the hackers to avoid the data leak, according to PC Mag.
Related Article : ALPHV Ransomware Subgroup Claims Responsibility for MGM Cyberattack
How to Protect Personal Data from Hackers
Unlike in a data breach from a personal device, there is not much a customer can do when their personal information is stolen during a corporate breach.
However, it is still recommended to add or update the two-way authentication method to social security numbers and related bank accounts if one of the services used is hacked.
It is also better to keep updated to the company's statements regarding the severity of the attack and know what to do next if affected by the breach.