Victoria’s Secret faces cyber breach amid Memorial Day sales

Victoria’s Secret has become the latest high-profile retailer to fall victim to a serious cybersecurity incident, with its US website and some in-store services forced offline during one of the busiest retail periods of the year.

While the Ohio lingerie giant has remained tight-lipped about the specific nature of the “security incident,” according to reports the disruption began in the lead-up to Memorial Day—a time when online traffic and transaction volumes are at their peak.

A holding message on the retailer’s website confirmed that services were suspended “as a precaution,” with the company stating, “Our team is working around the clock to fully restore operations.”

Though stores under both the Victoria’s Secret and Pink brands remain open, some services—such as in-store returns for online orders—are unavailable. Frustrated customers have taken to social media, many reporting issues as early as the Monday before the holiday, days before the company formally acknowledged the breach.

The timing of the incident has raised questions among cybersecurity experts and business leaders alike. Attacks coinciding with holidays and weekends are becoming increasingly common as cybercriminals exploit periods when businesses are least prepared.

The Holiday Ransomware Report, published by cybersecurity firm Semperis last year, reveals that over 70% of organisations reported ransomware incidents during holidays or weekends—times when security teams are typically understaffed.

Dan Lattimer, area vice president at Semperis, warned at the time: “Cyber threats don’t take a holiday. In fact, attackers are exploiting quieter times when they know they may be more successful—using periods of understaffed security operations to their advantage.”

Victoria’s Secret has yet to confirm whether this incident involved ransomware, but its scale and timing suggest a pattern of launching cyberattacks on unprepared retailers, including one on Marks & Spencer, which severely hindered the company’s online presence.

That attack cost the British retailer £300m in lost operating profits and disruptions until July.

Why Poundland cyber leader is pleased to receive SOCs for Christmas

Notably, Semperis’ research found that 52% of businesses admit their Security Operations Centre (SOC) is only partially staffed during bank holidays and weekends. Alarmingly, 42% of those with so-called “24/7” SOCs said they operate at just 25% capacity outside regular hours.

Well defined response plan

Javvad Malik, lead security awareness advocate at KnowBe4, commented: “Suspending website functionality is not decision organisations take lightly. This event highlights the importance of a robust security culture, especially in sectors like retail, where customer trust is critical.”

Javvad Malik, security advocate, Knowbe4

CyberSmart CEO Jamie Akhtar emphasised the need for swift and structured response protocols: “Even though Victoria’s Secret has yet to disclose full details, the engagement of third-party experts and the immediate shutdown of systems indicates they are following a defined response plan.

“For customers, this is a reminder to review personal security practices—monitor account activity, change passwords, and stay alert to phishing attempts.”

Vonny Gamot, head of EMEA at McAfee, offered practical advice to consumers potentially affected by the breach. She advised assuming one’s data may have been compromised even without notification, changing reused passwords, enabling two-factor authentication, and monitoring financial accounts closely.

Vonny Gamot, Head of EMEA McAfee

The Victoria’s Secret incident serves as a reminder that cybercriminals are exploiting the cracks in business defences—especially during bank holidays when vigilance dips. With more than half of surveyed businesses admitting they reduce security staffing during holidays, the retail sector remains exposed.