Victoria’s Secret has experienced a significant disruption to its online and in-store operations following a security incident. Customers are advised to stay informed about the company’s efforts to resume normal services.
Victoria’s Secret temporarily suspended its U.S. website alongside certain in-store activities for three days due to an undisclosed security breach. Customers trying to access the website were greeted with a notification detailing the service interruption.
The status message stated, “Dear customer, we have identified a security incident and are taking precautionary measures by pausing our website and some in-store services. Our team is diligently working to restore operations swiftly. We appreciate your understanding during this time.”
Impact and Timeline
The company disclosed this precautionary measure on Thursday, May 29, 2025, emphasizing the urgency with which its team is addressing the situation. Although a specific timeline for the complete restoration of services has not been provided, indications point to the issue beginning around Monday, May 26.
User reports from online forums, including Reddit, suggest some customers noted access difficulties as early as the previous Sunday. Despite online challenges, physical locations of Victoria’s Secret and PINK brand stores continued to operate, although some services, such as online return processing, were unavailable. A note from CEO Hillary Super highlighted that recovery efforts would be extensive, indicating a complex remediation process.
To assist in resolving the situation, the company has engaged third-party cybersecurity experts. In the wake of the incident, shares of Victoria’s Secret & Co. saw a reported decline of approximately 10%. The overarching silence on social media from the company during this incident has likely contributed to concerns among stakeholders, exacerbating the decline in stock value.
Another Retailer Targeted by Cyber Attack
This incident aligns with a broader trend of cyberattacks affecting major retailers. Other companies, including Marks and Spencer and Harrods, have reported similar challenges this year. Recently, Dior experienced a security issue leading to unauthorized access to customer data, while Adidas disclosed a breach involving consumer information accessed through a third-party service provider.
Common tactics among these attacks frequently include social engineering, where cybercriminals manipulate individuals within the organization to gain access to sensitive systems. The cybercrime group Scattered Spider has been noted for targeting significant retail brands in both the U.S. and U.K., illustrating the broader implications of these attacks. As evidenced by Marks & Spencer’s multi-week suspension of online orders following a breach, the ripple effects of such incidents can be profound, prompting experts to urge vigilance among consumers as fraud schemes proliferate in the aftermath.
As of now, the Victoria’s Secret website has resumed operations and is once again accessible to customers.
Experts’ Perspectives
Ben Hutchison, an Associate Principal Consultant at Black Duck, remarked on the growing risks faced by retailers, noting that once one organization falls victim, it often sets a precedent for subsequent attacks. He emphasized that rising threats to the retail sector should serve as a critical reminder for these businesses to fortify their cybersecurity and enhance their resilience against future incidents.
