Skip to content

Victoria's Secret takes down US website after 'security incident'

Tom Singleton
Technology reporter
EPA A man walks in front of a Victoria's Secret store frontEPA

Lingerie firm Victoria's Secret has taken down its US website and says it has halted some in-store services following what it has described as a "security incident".

The normal site has been replaced by a customer notice which says it is "working around the clock to fully restore operations".

It says its stores - and those of its spin-off, PINK - are still open for business.

The company's UK website is unaffected.

In a statement, the company detailed the action it has been taking.

"We immediately enacted our response protocols, third-party experts are engaged, and we took down our website and some in-store services as a precaution," it said.

It has not given any further details about the nature of the incident or confirmed when it began.

The company which is based in Ohio, in the US, operates around 1,350 retail stores across 70 countries.

Its share price fell by approximately 7% on Wednesday, when it first issued a media statement about the incident.

Some customers have taken to social media to complain about the impact it is having on them.

"How can I check my order status when your page has been down for 2 days?!? And no one answers the phone either!", wrote one on X.

Spree of cyber attacks

The incident at Victoria's Secret comes after a number of major UK retailers have been hit by major cyber attacks.

M&S says it expects the hack it has been affected by will cost it around £300m, with disruption continuing until July.

The Co-op experienced empty shelves and disrupted payments after it was hacked.

Customer data has been stolen from both firms.

The cyber criminals who say they were responsible told the BBC that they targeted the firms with ransomware, which involves scrambling IT systems and telling companies they will only be restored in exchange for payment.

The police told BBC News that the crime gang Scattered Spider - some of whom are thought to be teenagers - are among the suspects.

Vonny Gamot, from online protection company McAfee, recommended any affected customers should take immediate action such as changing passwords and enabling two-factor authentication on accounts that support it.

She also said people should not wait to find out if they had been directly caught up in the cyber attacks.

"Even if you haven't received notification from the brand or retailer which has been impacted, assume your information may have been compromised if you've been a customer," she said.

"Companies often take weeks to identify all affected individuals."

A green promotional banner with black squares and rectangles forming pixels, moving in from the right. The text says: “Tech Decoded: The world’s biggest tech news in your inbox every Monday.”

Sign up for our Tech Decoded newsletter to follow the world's top tech stories and trends. Outside the UK? Sign up here.