The North Face’s e-commerce website was impacted by a cybersecurity incident in April, a brand spokesperson confirmed to Fashion Dive.
The incident compromised about 1,500 customers’ email and shipping addresses, names, dates of birth and telephone numbers, according to a consumer notice letter posted by the Attorney General of Vermont’s office.
However, an investigation found that no credit card information was compromised, according to the spokesperson.
“The incident was quickly contained, and those affected were promptly notified,” the spokesperson said. “Protecting the data of our customers is the highest priority.”
The VF-owned brand said it was notifying customers impacted “voluntarily, out of an abundance of caution,” per the letter.
The data breach was an attack called credential stuffing, which occurs when an unauthorized party uses stolen email addresses, usernames and passwords to gain access to user accounts on other platforms. It can happen when customers use the same credentials on multiple websites. The North Face attacker got the usernames from a separate source and not from the company, and The North Face disabled the affected passwords, the brand said in the letter.
Eighty-one percent of people reuse the same or similar passwords on multiple accounts, making it easier for credential stuffing to occur, Benjamin Fabre, CEO and co-founder of DataDome, said in an email.
The breach comes at a time when multiple fashion and apparel companies have reported cybersecurity incidents, including Victoria’s Secret and Dior.
The North Face’s holding company VF faced another cybersecurity incident in December 2023, which impacted the company’s ability to fulfill orders during the holiday season.
