Wyatte Grantham-Philips, Associated Press
NEW YORK (AP) – Victoria’s Secret has removed a US website and says some in-store services are not available to deal with “security incidents.”
On Thursday, a message to customers remained in place of the popular lingerie brand’s regular shopping site, saying that these businesses were suspended “as a precaution.”
“Our team is working 24 hours a day to fully restore the operation,” the message read.
Ohio-based Victoria’s secrets did not provide many details about a “security incident” or directly check whether it was a cyber attack or a ransomware attack. When asked for more information on Thursday, the spokesman said the company was involved with third-party experts, saying it had “instituted our response protocol.”
Victoria’s Secrets either were not specified when they first identified the issue and began pulling back the service. Most media coverage on the retailer’s website Going Dark appeared on Wednesday – the company also shared social media updates, but annoyed customers said they had started experiencing problems early in the week, going back to Monday.
The company has no estimates as to when the site will be backed up, a FAQ for Victoria’s Secret Company Site Notes. The company is attempting to meet orders placed prior to Monday, adding that it will extend its return windows and several direct mail coupon offers for US-affected customers.
Victoria’s secret says it remains open for its customers as well as its store and pink brand location. However, some in-store services, such as direct refunds for online orders, were not available as of Wednesday night. Also, according to the company’s FAQ, it is similar to online customer care services.
It was not immediately clear whether in-store services in a secret location in Victoria outside the US were also affected. However, the company’s UK site appeared uninterrupted on Thursday.
Bloomberg News reported that Victoria’s Secret has also suspended some of its office operations, with some employees being locked out of the company’s email accounts on Wednesday.
Victoria’s secret shares fell about 4% as of noon Thursday.
Although not confirmed by the company, “security incidents” that affect Victoria’s secrets affect all the characteristics of a cyberattack. It also arrives as more businesses abuse customer data, particularly among retailers, and report violations that publish customer data.
For example, last week, adidas recently announced that it had noticed a “fraudulent external party” through a third-party customer service provider who retrieves consumer data, which is primarily made up of contact information. The German shoe and clothing company said it would notify affected customers and work with law enforcement.
Also, several UK retailers, including Marks & Spencer, Harrods and Co-op, have shared all of their targets for cyberattacks over the last few weeks. A cyber attack that hits M&S has stopped processing online orders, left store shelves empty, and the company estimates it will cost £300 million ($400 million).
Following cybersecurity incidents affecting consumer brands, experts have warned that it is important for shoppers to be vigilant. Scammers may also promise fake promotions through phishing emails, for example, or use sensitive information that may have compromised.
The breadth of confusion affecting Victoria’s secrets this week is also “reminding businesses how widely the fallout is measured,” Tim Rollins, senior advisor and director of security at consulting firm NCC Group, said in an email Thursday.
“Stop operations rather than rushing back online is important to ensure patches, recovery efforts and enhanced cybersecurity in the long term,” he added.
Original issue: May 29, 2025, 2:35pm EDT
