Ohio-based Victoria’s Secret on May 29 said it was hit by a cyberattack and took down its website as well as some in-store services as a precaution.In a note sent to the retailer’s employees and reported in Bloomberg News, Victoria’s Secret Chief Executive Officer Hillary Super said that “recovery is going to take a while.”The news came on the heels of Germany-based Adidas being hit by a cyberattack last week, as well as French luxury brand Dior reporting a cybersecurity incident two weeks ago.There was also a wave of three cyberattacks on leading UK brands, including Marks & Spencer, which said it stood to lose more than $400 million because of the incident.The Google Threat Intelligence Group warned two weeks ago that the threat actor — presumed to be the ransomware group Scattered Spider — was going to expand its activities into North America.“Researchers confirm Victoria’s Secret deliberately pulled its site and disabled in-store services to contain an active breach, enlisted external incident responders, plus is tracking indicators consistent with Scattered Spider’s playbook: SIM-swap fraud, credential stuffing, Cobalt Strike beacon deployment, custom ransomware payloads, and extortion communications,” said Nic Adams, co-founder and CEO or 0rucs.Adams said the Victoria’s Secret attack mirrors the UK outages at Harrods, Co-op and Marks & Spencer, in which Scattered Spider leveraged high-volume help-desk ruses, rapid ransomware deployment, strategic extortion timing, affiliate syndicate escalation, and supply chain paralysis.Ryan Sherstobitoff, senior vice president of threat research and intelligence at SecurityScorecard, added that retailers have become high-value targets for cybercriminals, with recent breaches making it clear that this represents more than just a passing trend.“These attacks are not isolated events,” said Sherstobitoff. “They represent a growing pattern exposing a deeper, systematic vulnerability within the retail industry.”Sherstobitoff explained that retailers operate in data-rich environments, handling troves of personally identifiable information (PII), loyalty data, and often payment credentials. Given the frequency and severity of recent attacks, Sherstobitoff said security can no longer be a back-burner issue for retailers.“A proactive, multi-layered cybersecurity strategy is essential,” he said. “One that extends beyond internal systems to include continuous monitoring of the entire external attack surface, including third-party vendors and the broader supply chain.”Lorri Janssen-Anessi, director of external cyber assessments at BlueVoyant, said that the incident that Victoria Secret reported confirms what security experts feared: The retail sector hacks that have been happening in Europe would potentially shift their focus and target retailers in North America.“From a supply chain perspective, this incident exemplifies how retailers’ digital ecosystems, including e-commerce platforms, third-party services, and logistics interfaces, are now prime attack vectors,” said Janssen-Anessi. “If threat actors accessed backend systems that connect inventory, customer services, or fulfillment partners, this could have cascading effects beyond just Victoria’s Secret. Companies need to consider cybersecurity not just as a technical function, but as a business continuity imperative.”
Janssen-Anessi said while Victoria’s Secret has not officially confirmed the identity of the attackers, the use of social engineering techniques linked to Scattered Spider strongly indicate a possible connection. This group is notorious for targeting retail companies, and their TTP’s have been noted in similar incidents, she said.
“If this is indeed Scattered Spider, it’s important to understand that this group does not rely solely on malware or infrastructure exploits,” said Janssen-Anessi. “They specialize in social engineering, SIM swapping, and living-off-the-land techniques, which often evade traditional endpoint defenses. Their tactics reflect a shift towards adversaries who understand both technical and operational structures of large retail environments, and tailor attacks accordingly.”
