Hands typing on keyboard showing security incident

Victoria’s Secret Security Incident Shuts Down Lingerie Giant’s Systems

Lingerie giant Victoria’s Secret was forced to pull down its website and some in-store services as a safety precaution after experiencing a prolonged security incident.

Ohio-based Victoria’s Secret operates about 1,350 retail stores across 70 countries and reported over $6 billion in revenue in 2024.

Problems with the underwear colossus started as early as May 26, when some customers reported experiencing difficulties placing orders.

Victoria’s Secret security incident caused outages

Responding to the cyber attack, Victoria’s Secret said it activated its cyber incident protocols, including proactively shutting down some systems, and hired third-party cybersecurity experts to address the issue.

“Valued customer, we identified and are taking steps to address a security incident. We have taken down our website and some in store services as a precaution,” the company said.

It also assured customers that its team was diligently working to restore full operations and that its PINK stores, which serve teen girls and college students, remained open for business.

“Our team is working around the clock to fully restore operations. We appreciate your patience during this process. In the meantime, our Victoria’s Secret and PINK stores remain open and we look forward to serving you.”

While physical operations remained operational, some services, such as purchase returns and customer services, would take time to process, with the company warning that “recovery is going to take a while.”

Victoria’s Secret’s shares tumbled, recording a 10% drop, due to the uncertainty occasioned by the security incident. Customers complained on social media about being unable to track their orders for multiple days when the company’s website was unavailable.

Meanwhile, the Victoria’s Secret security incident comes hot on the heels of apparent ransomware attacks targeting retail giants Marks & Spencer, Harrods, the Co-op, and Adidas, potentially leaking customer data.

Marks & Spencer estimated that the security incident would cost the company over $400 million, or roughly a third of its annual profits. The luxury retailer also warned that the disruption caused by the apparent ransomware attack could extend into July.

French Luxury retailer Dior also reported a cybersecurity incident that leaked customer data through a third-party breach. The data breach followed similar incidents in Turkey and South Korea, raising fears that its global user base was likely affected.

Currently, the prolific ransomware gang Scattered Spider has reportedly been linked to cyber attacks targeting the U.K. retailers M&S, Harrods, and the Co-op.

“The recent security incident at Victoria’s Secret, following a string of attacks on other retailers, suggests a potentially coordinated campaign targeting the retail sector,” warned Javvad Malik, Lead Security Awareness Advocate at KnowBe4. “While information remains limited at this point, suspending website functionality is not a decision organizations take lightly.”

Meanwhile, luxury retailers like Victoria’s Secret, Dior, and M&S are lucrative targets for cybercriminals due to the vast amounts of personal information, including that of wealthy clients, they collect. Their premium brands also make them easy pickings for cyber extortion due to the scale of reputational damage they could suffer if personal information leaked.

“These attacks are not isolated events; they represent a growing pattern exposing a deeper, systematic vulnerability within the retail industry,” said Ryan Sherstobitoff, SVP of Threat Research & Intelligence at SecurityScorecard. “In this Adidas breach, attackers accessed data through a third-party provider, highlighting the threat of interconnected supply chains, which continue to be a major entryway for threat actors.”

“Retailers operate in data-rich environments, handling troves of personally identifiable information (PII), loyalty data, and often payment credentials,” Sherstobitoff added.

To date, Victoria’s Secret remains silent about the security incident, offering only a brief public statement. Thus, the threat actor’s identity, whether ransomware was deployed, and if it has received any extortion demands, remain unreported.