Victoria’s Secret has taken its website offline and suspended certain in-store services after a significant cybersecurity incident, leaving customers in the dark and investors rattled.
The shutdown began Sunday, just ahead of Memorial Day, and was confirmed by the company in a public statement. The lingerie giant said it was responding to a “security incident” and had taken the site offline as a precaution.
What we know so far
- The Victoria’s Secret and PINK websites are unavailable, displaying a message about an ongoing security issue.
- Some in-store services are also disrupted, although physical stores remain open.
- The company’s digital sales, which brought in $2 billion in 2024, are fully halted.
- Shares of Victoria’s Secret & Co. (VSCO) have dropped nearly 7% since the disruption began.
Incident response and growing concerns
Victoria’s Secret says it activated its incident response protocols and brought in third-party cybersecurity experts to assess and contain the damage. However, the company has not confirmed:
- Whether customer data was compromised
- If ransomware was involved
- Whether law enforcement is engaged
Cybersecurity analysts speculate that this could be a ransomware or SQL injection attack, based on industry patterns. The timing—during a holiday weekend—is also a known tactic among threat actors aiming to exploit reduced IT staffing.
Customer frustration mounts
The lack of detailed communication has triggered widespread speculation online:
- Customers reported the outage started Sunday.
- Victoria’s Secret’s last social media update made no mention of the issue.
- Hundreds of comments flooded a May 25 promotional post, demanding answers.
- Some users expressed fear over potential data exposure and called the silence “alarming.”
Corporate drama behind the scenes
The cyberattack also comes amid rising tensions at Victoria’s Secret. Days before the breach, the company enacted a “poison pill” defense to prevent a potential hostile takeover by BBRC International, an Australian firm that recently bought 13% of its stock.
The board’s move is designed to block any entity from quietly gaining control without paying shareholders a premium. BBRC has previously acquired retail brands, including Bras N Things, and recently launched its own lingerie line.
Retailers under siege
Victoria’s Secret joins a growing list of retailers hit by cyberattacks in 2025. In the UK, Marks & Spencer reported a $404 million loss tied to a similar incident, while Harrods also disclosed a breach.
Cybersecurity experts warn that as retail shifts increasingly online, the attack surface widens, especially for companies relying on third-party IT vendors.
This content is brought to you by the FingerLakes1.com Team. Support our mission by visiting www.patreon.com/fl1 or learn how you send us your local content here.
