With cybersecurity attacks becoming more of a concern for major retailers and independent stores alike, The North Face is the latest to have been struck.
The North Face has informed consumers of unauthorized access to some shoppers’ personal information due to “unusual activity” on its site in late April. The company said the matter was immediately investigated and it was determined that “a small-scale credential stuffing attack” against its site had taken place on April 23. A credential stuffing attack refers to a cybersecurity breach where the attacker uses account authentication credentials such as email addresses, usernames and passwords that were stolen from a source to access the users’ accounts without their authorization. Those credentials were then believed to have been used to access consumers’ accounts on The North Face site.
The company said approximately 1,500 individuals were impacted. In a statement released Wednesday, The North Face said, “The incident was quickly contained, and those affected were promptly notified. It’s important to note that no credit card information was compromised. Protecting the data of our customers remains our highest priority.”
The company said it did not believe the incident involved information that would require it to notify consumers of a data security breach under applicable law. The North Face said it was notifying them out of an abundance of caution. The outdoor brand said that credit card or stored value card information was not compromised on its site and that the attacker could not view payment card numbers, expiration dates and CVVs, since that information is not kept on its site.
The North Face advised shoppers to change their passwords on its site and to avoid using the same password across multiple sites. The VF-owned brand also mapped out how to avoid cybersecurity attacks and identity theft.
Earlier this week Victoria’s Secret said it would postpone the release of its earnings after a recent security breach on its site. In the U.K., Harrods, Marks & Spencer and the Co-op Group were hit with cyberattacks this spring. Credential theft accounted for 38 percent of all compromised data in 2023 making it the leading threat in retail cyberattacks, according to KnowBe4’s “Global Retail Report 2025.”
That signaled a shift in cybercriminal tactics targeting the retail sector, according to researchers. The report found that in 2023, credential harvesting, which often involves phishing attacks, had outpaced payment card data, which declined to 23 percent of all compromised data. Retail is now among the top five industries that have been targeted by cybercriminals, according to the report. Last year the average cost of a retail data breach reached $3.48 million — an 18 percent upswing compared to 2023.
The frequency of retail-related cybersecurity attacks increased by 56 percent in 2023 compared to the previous year. Last month researchers from Google Threat Intelligence Group and Google subsidiary Mandiant said that cybercriminals who were believed to have been responsible for three attacks against companies in the U.K. were focusing on U.S. retailers. Last month, Victoria’s Secret had to temporarily shut down its site after a cybersecurity breach.
