The retailer has shut down online operations and some store services as it investigates an ongoing cybersecurity issue.
Victoria’s Secret has taken its website and select in-store services offline in response to a security incident, the company confirmed this week. The disruption affects both Victoria’s Secret and its PINK brand stores, though physical retail locations remain open while digital operations are being restored.
In a message posted on its now-inactive website, the company cited a security incident and stated that it is working "around the clock" to resolve the situation. No further details about the nature or scope of the incident have been disclosed.
The company reported $6.23 billion in revenue for the fiscal year ending February 2025 and operates approximately 1,380 stores across nearly 70 countries. In response to the incident, Victoria’s Secret has engaged external cybersecurity experts and enacted internal response protocols to assess and contain the situation.
A spokesperson confirmed to BleepingComputer that the website and some in-store systems were taken offline as a precaution. Employees were informed that recovery "is going to take a while," according to a note from CEO Hillary Super shared with Bloomberg.
"We immediately enacted our response protocols, third-party experts are engaged, and we took down our website and some in store services as a precaution," a Victoria’s Secret spokesperson told BleepingComputer. "We are working to quickly and securely restore operations."
Customers attempting to visit the website are met with a notice thanking them for their patience while restoration efforts continue.
Victoria’s Secret has reported a cybersecurity incident, joining a series of recent breaches affecting the retail sector. In the past few weeks, brands such as Dior and Adidas have disclosed similar events, while U.K. retailers including Harrods, Co-op, and Marks & Spencer have also been affected.
Although Victoria’s Secret has not identified those responsible, past retail breaches have been associated with groups like DragonForce and Scattered Spider, which often use social engineering and ransomware techniques. Given the volume of customer data and reliance on interconnected digital platforms, retailers continue to face an elevated risk of extortion attempts and service disruptions.
Taking systems offline helps prevent further unauthorized access, limits data exposure, and allows internal teams and investigators to assess damage without interference.
Beyond websites, breaches may impact point-of-sale systems, customer service portals, internal employee tools, and supply chain logistics platforms.
These experts conduct forensic analysis, help identify vulnerabilities, contain the threat, and assist with secure system restoration.
Yes. Companies are generally required to report breaches involving customer data to relevant regulators and, in many jurisdictions, notify affected individuals as well.
Customers can monitor their accounts for suspicious activity, change passwords associated with the affected retailer, and consider placing fraud alerts with credit bureaus if sensitive data was compromised.