
The fashion brand Victoria’s Secret has reported a significant security incident that resulted in the temporary shutdown of its official website and disruptions to select services within its retail stores. At present, visitors to the brand’s website are met with a placeholder page displaying a brief message, in which the company acknowledges the incident and assures that all necessary measures are being taken to resolve it.
Both Victoria’s Secret stores and its subsidiary brand PINK remain operational, though certain services are currently unavailable. Company leadership affirms that teams are working around the clock to restore full functionality.
Speaking with reporters, a company spokesperson confirmed that third-party cybersecurity experts have been brought in to assist with the investigation. Internal response protocols were swiftly activated upon discovery of the threat, and, as a precautionary measure, the company chose to temporarily disable its digital platforms.
Victoria’s Secret CEO, Hilary Super, informed employees that the recovery process may take a considerable amount of time—a statement corroborated by an internal memo obtained by Bloomberg.
The company operates approximately 1,380 stores across nearly 70 countries, and in the last fiscal year ending February 1, 2025, it generated $6.23 billion in revenue. The scale of its operations underscores the potentially severe impact of a digital disruption, particularly given the retail sector’s heavy reliance on e-commerce and the automation of in-store services.
Notably, this incident coincides with a surge of cyberattacks targeting global retail brands. Just two weeks ago, Dior disclosed a breach, followed by a similar announcement from Adidas last week. British retailers Harrods, Co-op, and Marks & Spencer were also previously affected. Marks & Spencer estimates potential losses from its breach to be as high as £300 million—approximately $402 million.
Although no formal link between these incidents has been established, the hacker collective DragonForce has claimed responsibility for the attacks on Dior, Adidas, and Marks & Spencer. Analysts at BleepingComputer have found that the attackers employed social engineering techniques characteristic of the Scattered Spider group.
Last week, Google issued an alert warning that Scattered Spider has begun targeting American retailers, conducting extortion campaigns and deploying ransomware—a stark reminder that the retail industry remains a primary target for cybercriminals, especially as peak shopping seasons approach.
Victoria’s Secret has yet to disclose technical specifics of the incident or confirm whether customer data has been compromised. However, the scale of the outages suggests a potentially serious breach. Further details are expected to emerge once the initial phase of the investigation concludes.