Victoria’s Secret, the iconic lingerie and apparel retailer, has taken its U.S. website and mobile app offline and suspended select in-store services following a prolonged “security incident” that began over the Memorial Day weekend. The outage, which has disrupted online sales and internal operations since at least Sunday, May 25, has led to a nearly 7% drop in the company’s stock price, raising concerns about a potential data breach or cyberattack. Here’s the latest on this unfolding crisis.
Details of the Security Incident
On Wednesday, May 28, Victoria’s Secret announced via a statement on its website that it had “identified and [is] taking steps to address a security incident,” prompting the immediate shutdown of its U.S. online shopping platform and some in-store services. Customers visiting victoriassecret.com or the PINK website are met with a black or pink screen displaying a message: “Valued customer, we identified and are taking steps to address a security incident. We have taken down our website and some in-store services as a precaution. Our team is working around the clock to fully restore operations.” The company’s mobile app has also been rendered inoperable, displaying error messages, while some employees have been locked out of email accounts, and customer care and distribution center operations have been halted, according to Bloomberg.
A Victoria’s Secret spokesperson confirmed to Reuters, “We immediately enacted our response protocols, third-party experts are engaged, and we took down our website and some in-store services as a precaution.” However, the retailer has provided no specific details about the nature of the incident, whether customer data was compromised, or when operations might resume. The company’s 1,350 Victoria’s Secret and PINK stores across 70 countries remain open for in-person shopping.
Impact on Business and Customers
The timing of the outage, coinciding with the Memorial Day weekend—a peak retail period—has amplified its impact. Online sales, which accounted for $2 billion or roughly one-third of Victoria’s Secret’s $6.23 billion net sales in 2024, are critical to the company’s revenue. The prolonged disruption, now in its fourth day, is considered rare for a retailer of this size, with some store associates estimating a 4–5-day total outage. Shares of Victoria’s Secret & Co. (NYSE: VSCO) fell 6.8–7.7% to $20.99 on Wednesday, reflecting investor concerns about lost e-commerce revenue and operational challenges.
Customer frustration has spilled onto social media, with users on X and Reddit reporting issues since Monday. One Reddit user, claiming to be a former Victoria’s Secret IT engineer, suggested the incident aligns with an old incident response plan, hinting at a possible data breach or malware attack. Another speculated that ransomware could be involved, noting that such attacks often target long holiday weekends when staffing is low. However, these claims remain unverified, and the company has not confirmed suspicions of a cyberattack.
Context of Rising Retail Cyberattacks
The incident comes amid a surge in cyberattacks targeting retailers. CNN reported that U.S. retail companies have faced sophisticated attacks by groups like Scattered Spider, with UK retailer Marks & Spencer recently losing £300 million ($404 million) in profits due to a cyberattack. Last week, Adidas disclosed a data breach involving customer contact information stolen via a third-party provider. Cybersecurity expert Richard Blech, CEO of XSOC Corp., told CNN that hackers, leveraging AI, are outpacing retailers’ defenses, which often rely on outsourced cybersecurity firms managing multiple accounts. “Hackers are ahead of the game and well-resourced,” Blech said, warning that Victoria’s Secret’s incident could follow a similar trajectory.
Victoria’s Secret’s Response and Challenges
Under CEO Hillary Super, who joined from Savage X Fenty in 2024, Victoria’s Secret is navigating a turnaround effort, including store revamps and a focus on inclusivity, while fending off a hostile takeover bid by BBRC International Pte Limited. Super reportedly told employees that “recovery is going to take a while,” per Bloomberg, raising concerns about the incident’s severity. The company’s prior adoption of the FAIR Control Analytics Model for cybersecurity, praised in April 2025, has not prevented this disruption, prompting questions about its preparedness.
What’s Next?
Victoria’s Secret is working with third-party experts to restore operations, but no timeline has been provided. The company is due to report earnings next week, and analysts, including Wells Fargo’s Ike Boruchow, predict near-term e-commerce challenges will weigh on performance. The lack of clarity on whether customer data was compromised or if ransomware is involved keeps investors and shoppers on edge.
