Security incident shuts down Victoria's Secret site

Issues were reported by users as early as Sunday

On Thursday, May 29, 2025, Victoria's Secret announced a major cybersecurity incident that forced the shutdown of its U.S. website and disrupted several in-store services. The company confirmed the breach, stating they had identified a security issue and were taking immediate steps to address it.

This incident halted their online store, which accounted for roughly one-third of their $6.23 billion revenue in 2024, a critical loss during a peak shopping period. It also impacted internal systems, including employee email access and operations at some distribution centers.

According to an FAQ page^[1] on the company’s website, the issue may have started on or after Monday, May 26, 2025, during the Memorial Day holiday^[2] – a time when reduced staffing likely made the company more vulnerable to attacks. In-store services, such as processing online returns, were unavailable, and online customer care services were also down, leaving customers unable to get support. A message displayed on the Victoria's Secret website stated:^[3]

Valued customer, we identified and are taking steps to address a security incident. We have taken down our website and some in store services as a precaution. Our team is working around the clock to fully restore operations. We appreciate your patience during this process. In the meantime, our Victoria’s Secret and PINK stores remain open and we look forward to serving you.

As of Friday, May 30, 2025, Victoria's Secret is back online, though some of its services are still limited. Employees were told by CEO Hillary Super in a memo that “recovery is going to take a while,”^[4] implying a long process of recovery. The company has teamed up with third-party cybersecurity companies to analyze the breach and make their systems more secure so that there are no repeat issues in the future.

Potential implications for customers

The financial loss of the Victoria's Secret breach can be significant. The closing of their online store certainly resulted in a substantial loss of sales, especially in a hectic holiday season following Memorial Day. Rebuilding costs, including the employment of experts and updating systems, will all add to the financial loss.

If customer data, such as payment details or individual data, were compromised, the firm would be legally challenged and face losing the trust of customers, thus harming future sales.

To consumers, the threats extend beyond the immediate disruption. Cybersecurity professionals advise monitoring bank accounts for unusual activity and taking precautions against phishing emails, which peak following such an attack. If sensitive details were compromised, attackers might use them for identity theft or particular scams.

Victoria's Secret has not yet said whether customer data was breached, but the long recovery time shows the effect of the breach may still be felt, requiring ongoing vigilance by both the company and its customers.

Retailers have been affected by numerous cybersecurity attacks in 2025

The Victoria's Secret incident is part of a broader wave of cyberattacks targeting retailers in 2025. Major companies like Marks & Spencer,^[5] Harrods, Dior, and Adidas have also faced similar breaches this year, highlighting the sector’s vulnerability.

Retailers rely heavily on digital systems and third-party vendors, which can create security gaps that hackers exploit. The growth of online shopping has further expanded opportunities for cybercriminals seeking financial gain or sensitive data.

Experts emphasize that retailers must respond quickly and transparently to minimize damage. The reliance on external IT partners often introduces risks if their security practices are not robust, a common issue in retail.

This breach underscores the need for frequent security audits, advanced threat detection, and strong incident response plans. As cyberattacks become more sophisticated, retailers must invest in better defenses and ensure third-party partners meet high security standards to protect against future threats.