Victoria’s Secret experienced a significant cybersecurity breach in late May 2025 that forced the lingerie retailer to shut down its U.S. website and suspend various in-store services for several days.
The incident, first reported by customers on May 26, prompted immediate response protocols and precautionary shutdowns across digital platforms.
Police identified the Scattered Spider hacking group among potential suspects, though Victoria’s Secret declined to confirm whether the incident constituted a ransomware attack or traditional cyberattack.
Police linked the Scattered Spider hacking group to the breach, though Victoria’s Secret refused to classify the attack type.
The breach affected both website operations and corporate systems during a promotional sale period, potentially impacting revenue generation.
The company replaced its entire U.S. website with a customer notice featuring black text on a pink background, stating that teams were working “around the clock” to resolve the situation.
Customer care services went offline, some in-store functions became unavailable, and orders placed before Monday experienced significant disruptions.
Victoria’s Secret officially acknowledged the incident by May 29-30, with website restoration occurring on May 29.
Third-party security experts were immediately engaged to examine the breach and assist with system recovery.
The company’s main retail stores, including Victoria’s Secret and Pink locations, remained operational throughout the incident, though certain digital services remained compromised. The retailer’s digital sales represented approximately $2 billion of its total revenue, highlighting the significant financial impact of the website disruption.
Small businesses are particularly vulnerable to such attacks, as data breach costs average $4.35 million and often lead to business failure within six months.
To address customer concerns, Victoria’s Secret extended the U.S. return window by 30 additional days and prolonged redemption periods for expired direct mail coupons through the following Sunday.
The company committed to fulfilling pre-incident orders and providing email confirmations with tracking information for shipped items.
Nevertheless, online orders temporarily could not be processed for in-store returns.
The cybersecurity incident forced Victoria’s Secret to delay its scheduled earnings release as corporate systems underwent complete restoration efforts.
The attack highlighted the vulnerability of major retailers to sophisticated cyber threats, particularly during high-traffic promotional periods when security systems face increased strain.
This incident represents a growing trend of cyberattacks targeting retail giants, demonstrating that even established companies with substantial resources remain susceptible to determined hacking groups. Company shares fell approximately 4% following media reports of the security incident.
The rapid website restoration within three to four days reflected effective incident response procedures, though full corporate system recovery continued beyond the initial resolution period.
