American manufacturer of skateboarding shoes Vans store seen in Hong Kong.
Budrul Chukrut | LightRocket | Getty Images
Shares of The North Face and Vans owner VF Corp tumbled Monday after the company reported that a hack had affected its ability to fulfill some orders ahead of the holidays.
The company said hackers encrypted “some” systems and made off with personal data. Those are some hallmarks of ransomware, where attackers try to extort companies in exchange for hefty payment. VF Corp declined to comment on whether the incident was a ransomware attack.
The stock dropped more than 8% on Monday.
VF Corp announced the incident on the same day that the Securities and Exchange Commission’s new cyber disclosure rules took effect. Those regulations mandate that companies report “material cybersecurity incidents” to their investors within four days of determining that a hack would have an impact on their bottom lines. VF Corp first identified hackers in its system on Dec. 13, meaning it took relatively little time for the company to identify the threat as material.
The attack is expected to hit the company’s operations in the lead up to the critical holiday shopping period. The company said the breach has affected its ability to fulfill orders, but customers will still be able to place them online.
The full scope of the attack is still not known, and it will likely continue to have a material impact until recovery efforts are complete, the company said.
The new SEC rules are designed to give investors a clearer picture of how attacks can harm businesses. When casino firm Caesars Entertainment was breached earlier this year, for example, the company quietly paid a $15 million ransom, sources previously told CNBC. Only after MGM Resorts was hit by the same attacker did Caesars disclose that it had been affected.
Under the new disclosure obligations, Caesars likely would have had to report the hack and the payment much earlier. Regulators and law enforcement strongly discourage companies from paying ransoms. But given the debilitating effects that cyber disruptions can have, many companies do so anyway.
VF Corp is the latest major company to be hit a by cyberattack that disrupted company operations. In addition to Caesars and MGM, Clorox was hit by a breach that prevented the company from keeping its items on store shelves earlier this year.