VF believes discovered “unauthorized occurrences” on its network starting on December 13, 2023. In their filing, they report that they “ejected” network attackers on December 15th, 2023 after they took action and engaged “leading external cybersecurity experts, activat[ed] [their] incident response plan, and shut[] down some systems.” Ultimately, they believe that the “threat actor stole personal data of approximately 35.5 million individual consumers.” They note, importantly, that they do not “not collect or retain … any consumer social security numbers, bank account information or payment card information as part of its direct-to-consumer practices …”

Please contribute with additional context and information about this filing.