[Update as of June 4, 2025] Following a cyber attack last week that prompted Victoria’s Secret to shut down its website and pause some in-store services, both The North Face and Cartier have reported attacks of their own, multiple sources report. Both fashion brands said that customer data was stolen, including names and emails, in the separate hacking events.
The North Face, which is owned by VF Corp., shared with customers that it had suffered a “small-scale” attack on its website in April. The attack was the result of “credential stuffing,” a type of hack where account information obtained through a different data breach is used to access other companies’ systems, working under the assumption that consumers will repurpose log-in details across multiple accounts. The North Face assured customers that no financial details were stolen in the attack.
Luxury brand Cartier also shared in an email to customers that “an unauthorized party gained temporary access to our system and obtained limited information.” That attack also resulted in theft of customer information, including details such as products purchased, shipping address, birth date and telephone number.
At the same time, Victoria’s Secret announced that it was delaying the reporting of its fiscal 2025 Q1 results as a result of the attack on its systems last week. While the attack did not have any impact on the company’s Q1 results, with the quarter having closed on May 3, Victoria’s Secret said that the restoration process following the attack has barred employees from accessing systems needed to report its financial results. A new date for the company’s earnings release has not yet been set.
Advertisement
While Q1 earnings are expected to fall at or above the high end of its previous guidance, Victoria’s Secret also cautioned that the attack in late May might lead to financial impacts in Q2 and beyond.
Original story from May 30, 2025 begins-
Victoria’s Secret Latest Hit in Growing Swath of Retail Cyber Attacks
Victoria’s Secret is the latest retailer to be hit by a cyber attack following similar incidents at Marks & Spencer, Dior, Harrods and Adidas, all this month.
On May 29 the Victoria’s Secret website featured a message that the site had been shut down due to a “security incident,” however, consumer commentary online indicates that website outages may have started much earlier in the week. Victoria’s Secret later confirmed in a statement issued on June 3 that the shut down had extended from May 26 through May 29.
Stores remained open throughout the outage, although some in-store services also were paused during the incident. Most of those systems have since been restored, as of the company’s June 3 statement.
“We identified and are taking steps to address a security incident,” read the message during the outage on the Victoria’s Secret website, which was restored by May 30. “We have taken down our website, including our Customer Care Services and some in-store services as a precaution. Our team is working around the clock to fully restore operations. We appreciate your patience during this process. In the meantime, our Victoria’s Secret and PINK stores remain open and we look forward to serving you.”
The company has extended its return window for an additional 30 days and will extend the redemption window for coupons and rewards to accommodate customers affected by the outage, according to a company FAQ page.
Retailers Must Prepare for Direct and In-Direct Attacks
Details on the nature of the Victoria’s Secret cyber attack haven’t been disclosed, but the security breach points to a worrying trend following similar incidents at other retailers this month.
“The recent security incident at Victoria’s Secret, following a string of attacks on other retailers, suggests a potentially coordinated campaign targeting the retail sector,” Javvad Malik, Lead Security Awareness Advocate at cybersecurity consultancy and training firm KnowBe4 in comments shared with Retail TouchPoints. “While information remains limited at this point, suspending website functionality is not a decision that organizations take lightly. In the retail sector, where customer trust is paramount, embedding security awareness across all levels of the business is crucial. This culture should emphasize not only technological defenses but also staff vigilance to act swiftly when threats are detected.”
In addition to damaging customer trust, cyber attacks can have very real financial impacts. A sustained cyber attack on British retailer Marks & Spencer earlier in the month, which was linked to hacking group known as Scattered Spider, cost the company millions of pounds each day, according to The Guardian.
The financial impact on Victoria’s Secret is not yet known, but as Malik indicated, shutting down its website will no doubt have significant financial ramifications and highlights the difficult decisions retailers must make when facing these attacks.
Earlier this month, Adidas fell victim to an attack on its third-party customer service provider resulting in the leak of personal data from customers who had contacted its help desk.
The Adidas attack highlights an additional vulnerability for retailers beyond their own systems: “This demonstrates how critical it is for organizations to have oversight of their supplier cybersecurity posture,” said Siân John, Chief Technology Officer at cybersecurity consulting firm NCC Group, in comments shared with Retail TouchPoints. “Global brands [are often] at the center of a vast network of third parties and they are only as strong as their weakest link, so they must collaborate with partners and suppliers to build a robust ecosystem around them.”
Customer Data Makes Retailers an ‘Attractive Target’
This puts an immense amount of pressure on retailers’ already busy technology teams, said Jon Bance, COO at UK-based technology consultancy Leading Resolutions: “The scope of CIOs is stretched more than ever between addressing critical security and AI innovation, amid macroeconomics that continue to worsen,” he said in comments shared with Retail TouchPoints. “Safeguarding against cyber attacks must be a continuous, forefront goal that the U.K.’s National Cyber Security Centre and even Cabinet officials are emphasizing as a business priority.”
The same advice holds true around the globe. In fact, new research from Fastly indicates that retailers and ecommerce businesses are particularly vulnerable to cyber attacks, with no other industry at a greater risk of data loss — 46% of security professionals at retailers reported experiencing data loss as the direct result of cyber attacks in the last year, and retailers that had experienced attacks within the last 12 months averaged a loss of more than 10% of their annual revenue. Network outages (38%), customer account compromises (25%), and loss of client trust and satisfaction (both 23%) were other common damages caused by security breaches, according to resondents.
“Retailers handle a huge amount of critical information every time a customer makes a purchase,” said Sean Leach, VP of Technology at Fastly, in a statement. “They are trusted by their customers to store this information — bank details, individual addresses and more — securely. But handling this sensitive data also makes retailers an extremely attractive target for bad actors. Recovering from a security breach is hugely complicated in this sector. Beyond the potential up-front financial loss, personal data being compromised results in a significant loss of trust, causing major reputational damage that can have a significant long-term impact on a business’ bottom line.”
