[Post updated to add Victoria's Secret comment]
Victoria’s Secret has taken its website offline and suspended some in-store services following a cyberattack that has crippled key parts of its IT infrastructure, forcing the lingerie giant to halt online sales and freeze employee access to internal systems.
The company posted a notice on its website informing customers that it was taking “precautionary” measures after identifying a breach. The statement emphasized that while the website and some store services are down, Victoria’s Secret and PINK physical stores remain open. Bloomberg reports, citing internal sources, that the company has brought in outside cybersecurity experts, locked employee email accounts, and halted operations in its customer care and distribution centers. The company’s CEO, Hillary Super, reportedly warned staff that recovery could take time.
The disruption comes at a sensitive time for Victoria’s Secret & Co., a major American lingerie retailer with over 900 stores worldwide and an extensive e-commerce platform that serves millions of customers. The company has been undergoing a corporate turnaround, focusing on inclusivity and store revamps while also navigating complex market dynamics, including increased investor pressure from major stakeholders like BBRC International. Shares of Victoria’s Secret dropped nearly 7% following news of the breach.
Details of the attack are still emerging, but discussions on Reddit and among cybersecurity watchers point strongly to ransomware as the likely culprit. Customers noted that the Victoria’s Secret website had been offline for over 14 hours, with some reporting that IT employees were told not to report to the office or log into company systems until later in the week, a telltale sign of a severe containment effort. Reddit commenters, including alleged former IT staff, speculated that outdated systems such as COBOL-based applications and heavy reliance on VBA scripts could have left the company especially vulnerable.
The incident closely follows a wave of cyberattacks targeting major retailers in the UK, including Marks & Spencer, Co-op, and Harrods, which were reportedly hit by the DragonForce ransomware cartel. While no formal link has been established between the Victoria’s Secret breach and the DragonForce campaign, the similarities in timing, tactics, and target sector are notable.
Victoria’s Secret has not yet disclosed whether customer data was compromised, nor has it provided a timeline for full restoration of its systems. As a publicly traded company, it will be required under SEC rules to file a formal disclosure within four business days if the incident is deemed “material,” a threshold likely to be met given the operational disruptions and stock impact.
CyberInsider has contacted Victoria’s Secret for more details on the incident, and a spokesperson sent the following comment:
We identified and are taking steps to address a security incident. We immediately enacted our response protocols, third-party experts are engaged, and we took down our website and some in store services as a precaution. We are working to quickly and securely restore operations. We continue to serve customers in our Victoria’s Secret and PINK stores. – Victoria's Secret
Leave a Reply