Full Report
The U.S. website of Victoria’s Secret is down after an unspecified security incident, the latest in a series of cyber incidents hitting retailers. A status message on the Victoria’s Secret website says the company “identified and are taking steps to address a security incident. We have taken down our website and some in store services as a precaution. Our team is working around the clock to fully restore operations.” Victoria’s Secret and PINK stores remain open, the status message reads. It is not clear what type of security incident was involved or whether customer data was affected. In a statement to The Cyber Express, a Victoria’s Secret spokesperson said the company “immediately enacted our response protocols” and engaged “third-party experts” for assistance. “We are working to quickly and securely restore operations,” the spokesperson added. Victoria’s Secret Latest Retail Cyber Incident The Victoria’s Secret website incident is the latest in a string of cyber incidents hitting retailers in recent weeks. The cyber spree targeting retailers began in late April, when three UK retailers were hit in a matter of days. Those attacks have been attributed to the Scattered Spider threat group and reportedly involved the deployment of DragonForce ransomware. Other recent cybersecurity incidents have affected Dior and Adidas, and Google warned in mid-May that Scattered Spider was apparently targeting U.S. retailers. Victoria’s Secret, which has generated more than $6 billion in sales in the last year, saw its shares (NYSE:VSCO) fall more than 10% since news of the security incident broke on Wednesday. Bloomberg reported that an internal company communication said recovery from the security incident could take “awhile.” Defending Against Scattered Spider After the UK retail incidents, the UK’s National Cyber Security Centre issued guidance for retailers to protect their operations from cyberattacks. Those steps include: Using multi-factor authentication Monitoring for signs of account misuse, such as “risky logins” within Microsoft Entra ID Protection Monitoring Domain Admin, Enterprise Admin, and Cloud Admin accounts and making sure that any access is legitimate Review helpdesk password reset processes, including procedures for authenticating staff credentials before resetting passwords Making sure that security operation centers can identify suspicious logins, such as from VPN services in residential ranges Following tactics, techniques, and procedures sourced from threat intelligence “whilst being able to respond accordingly.” Google has also issued recent guidance for defending against Scattered Spider attacks.
Analysis Summary
# Incident Report: Victoria's Secret Website Disruption by Alleged Scattered Spider Activity
## Executive Summary
Victoria's Secret experienced a significant security incident resulting in their website being down for several days in late May 2025. The cause is strongly suggested to be related to the threat actor group Scattered Spider, which targets retailers. The impact included a prolonged operational outage of the primary website and a subsequent drop in the company's stock price by over 10%. Response efforts focused on recovery, with internal communications suggesting a lengthy remediation process.
## Incident Details
- **Discovery Date:** Wednesday, May 28, 2025 (Date news of the outage/incident broke)
- **Incident Date:** Occurred shortly before May 28, 2025 (Implied ongoing attack/disruption in mid-May referenced via related activity)
- **Affected Organization:** Victoria's Secret (NYSE: VSCO)
- **Sector:** Retail/Apparel
- **Geography:** United States (Based on company operations and stock exchange)
## Timeline of Events
### Initial Access
- **Date/Time:** Attack likely initiated around mid-May 2025, concurrent with other retailer targeting reports, leading up to the outage detected May 28.
- **Vector:** Attributed, but not definitively confirmed in the article, to the threat actor Scattered Spider, known for targeting US retailers.
- **Details:** Specific initial access method is not detailed in the provided text.
### Lateral Movement
- *Details not available in the provided text.*
### Data Exfiltration/Impact
- **Impact:** Prolonged outage of the Victoria’s Secret website, potentially lasting several days.
- **Financial Impact:** Company shares (NYSE:VSCO) fell more than 10% since the incident news broke.
### Detection & Response
- **Detection:** The incident was publicly apparent via the website being down, with internal communication confirming a security incident requiring recovery.
- **Response actions taken:** Internal teams were working on recovery, which was expected to take "awhile." No specific technical response actions are detailed.
## Attack Methodology
- **Initial Access:** Strongly associated with the methods used by Scattered Spider, which typically involves social engineering and MFA bypass techniques against retail entities.
- **Persistence:** *Not specified.*
- **Privilege Escalation:** *Not specified.*
- **Defense Evasion:** *Not specified.*
- **Credential Access:** *Not specified.*
- **Discovery:** *Not specified.*
- **Lateral Movement:** *Not specified.*
- **Collection:** *Not specified.*
- **Exfiltration:** *Not specified.*
- **Impact:** Operational disruption leading to website unavailability.
## Impact Assessment
- **Financial:** Over 10% drop in stock value (VSCO) since the incident announcement.
- **Data Breach:** The article does not explicitly confirm data exfiltration, but operational downtime suggests a severe systems compromise.
- **Operational:** Prolonged, unexplained outage of the primary website, with recovery expected to take "awhile."
- **Reputational:** Public negative exposure due to multi-day outage.
## Indicators of Compromise
- **Network indicators:** *Not specified (No defanged IPs/URLs provided).*
- **File indicators:** *Not specified.*
- **Behavioral indicators:** Association with the threat actor Scattered Spider, whose known tactics include targeting retailers (as seen in previous UK incidents).
## Response Actions
- **Containment measures:** *Not specified.*
- **Eradication steps:** *Not specified.*
- **Recovery actions:** Internal teams actively engaged in system recovery, anticipated to be lengthy.
## Lessons Learned
- The incident highlights the high risk faced by major retailers from sophisticated threat actors like Scattered Spider.
- The reliance on timely recovery following a severe compromise is critical to mitigating financial and reputational damage.
## Recommendations
Based on NCSC guidance issued following similar UK retail incidents, recommendations include:
1. Implement and rigorously enforce Multi-Factor Authentication (MFA).
2. Enhance monitoring for "risky logins" using tools like Microsoft Entra ID Protection.
3. Maintain strict oversight and validation procedures for Domain Admin, Enterprise Admin, and Cloud Admin accounts.
4. Review and strengthen helpdesk processes for authenticating staff credentials before executing password resets.
5. Ensure security operation centers can effectively identify suspicious logins originating from residential VPN ranges.