VF believes it discovered “unauthorized occurrences” on its network starting on December 13, 2023. In their filing, they reported that they “ejected” network attackers on December 15th, 2023 after they took action and engaged “leading external cybersecurity experts, activat[ed] [their] incident response plan, and shut[] down some systems.” Their report states that, ultimately, they believe that the “threat actor stole personal data of approximately 35.5 million individual consumers.” They note, importantly, that they do “not collect or retain … any consumer social security numbers, bank account information or payment card information as part of [their] direct-to-consumer practices …”

Please contribute with additional context and information about this filing.