Victoria’s Secret has pulled the plug on its U.S. website after a serious security breach, sparking concern and online backlash.
As cyberattacks rattle retailers globally, experts urge swift action while customers demand answers from the lingerie giant.
Lingerie giant Victoria’s Secret has temporarily disabled its U.S. website and suspended certain in-store services following what the company is calling a “security incident.”
Visitors to the brand’s American website are now met with a notice stating that teams are “working around the clock to fully restore operations.” Despite the disruption, the retailer confirmed that its physical stores along with its sister brand, PINK, remain open to customers. The company’s UK-based website continues to function normally and is unaffected by the issue.
In a statement released to the media, Victoria’s Secret noted that it took immediate precautionary steps by implementing internal response procedures and engaging cybersecurity specialists. The brand stated, “We enacted our response protocols right away, brought in external experts, and took down the website and some services in stores as a precaution.” No specifics were shared regarding the cause or timeline of the breach.
Victoria’s Secret, headquartered in Ohio, manages over 1,300 retail locations in about 70 countries. News of the incident led to a dip in the company’s share value, with stock prices dropping nearly 7% on Wednesday when the breach was first publicly disclosed.
Meanwhile, some customers expressed frustration on social media over the lack of service and communication. One user on platform X wrote, “How can I check my order status when your page has been down for 2 days?!? And no one answers the phone either!”
This development comes amid a broader wave of cyberattacks affecting major retailers, particularly in the UK. Retailer Marks & Spencer (M&S) recently disclosed that a cyber breach could cost the company up to £300 million, with operations expected to be disrupted into July. The Co-op has also faced fallout, including payment issues and product shortages, following a similar attack.
In both cases, customer data was compromised. According to statements from a hacking group that spoke to the BBC, the attacks were executed using ransomware, a tactic where a victim’s systems are encrypted, and access is only restored upon payment.
Law enforcement sources indicate that a group known as Scattered Spider, which reportedly includes teenage hackers, is being investigated in connection with the incidents.
Cybersecurity expert Vonny Gamot of McAfee has advised consumers to act swiftly. “Change your passwords immediately and enable two-factor authentication where available,” she urged, adding that customers shouldn’t wait for companies to confirm if their data was affected. “If you’ve shopped with a retailer that’s been hit, assume your information might be at risk.”
Gamot also noted that it may take companies several weeks to identify the full extent of the breach and notify affected individuals.
