Victoria’s Secret has become the latest retailer to experience a cyberattack, joining a growing list of companies affected by similar breaches in recent weeks. The incident prompted the fashion retailer to take its US website offline and suspend certain store services.
According to a Bloomberg News report, Victoria’s Secret halted some office operations and instructed employees to refrain from using company technology due to a ‘security incident’. Some employees also reportedly found themselves unable to access email accounts due to non-functional passwords, a source familiar with the situation told the publication. This disruption has affected the retailer’s online shopping platform and some store services. Meanwhile, the Victoria’s Secret website greeted customers with a generic message.
“Valued customer, we identified and are taking steps to address a security incident,” the message said. “We have taken down our website and some in-store services as a precaution. Our team is working around the clock to fully restore operations. We appreciate your patience during this process.” The company’s stores and those of its spin-off brand, PINK, remained operational.
Victoria’s Secret operates approximately 1,350 retail stores across nearly 70 countries, as stated on its website. For the fiscal year ending 1 February 2025, the company reported annual sales of $6.23bn, marking a 1% increase from the previous year.
A company spokesperson told Bloomberg that Victoria’s Secret has engaged external experts to assess the incident’s impact. Details regarding the nature of the incident have not yet been disclosed. Separately, Victoria’s Secret CEO Hillary Super told the employees that “[r]ecovery is going to take a while.”
Retailers face continued cyber assaults
Recently, retailers have increasingly become targets of cyberattacks. Two weeks ago, Dior, a French luxury fashion brand, reported a cybersecurity incident where attackers accessed data on some Dior Fashion and Accessories customers. Similarly, German sportswear company Adidas revealed a data breach last week after hackers compromised a customer service provider and stole customer data.
These incidents are part of a broader trend of attacks targeting UK retailers over recent months, including Harrods, Co-op, and Marks & Spencer (M&S). The latter is facing a potential profit impact of up to £300m due to sales and operational disruptions following a breach.
Although it remains unclear if these attacks are interconnected, the DragonForce ransomware group has claimed responsibility for the incidents involving Harrods, Co-op, and M&S.
Recently, Google issued a warning that Scattered Spider is now also targeting US retailers with ransomware and extortion schemes. This group is known for conducting ransomware and extortion campaigns.
Read more: TCS launches internal inquiry into Marks & Spencer cybersecurity breach
