Victoria’s Secret is the latest retailer to be hit by a cyber attack following similar incidents at Marks & Spencer, Dior, Harrods and Adidas, all this month.
On Thursday the Victoria’s Secret website featured a message that the site had been shut down due to a “security incident,” however, consumer commentary online indicates that website outages may have started much earlier in the week. Stores remained open throughout the outage, although some in-store services also were paused during the incident.
“We identified and are taking steps to address a security incident,” read the message during the outage on the Victoria’s Secret website, which has since been restored. “We have taken down our website, including our Customer Care Services and some in-store services as a precaution. Our team is working around the clock to fully restore operations. We appreciate your patience during this process. In the meantime, our Victoria’s Secret and PINK stores remain open and we look forward to serving you.”
The company has extended its return window for an additional 30 days and will extend the redemption window for coupons and rewards to accommodate customers affected by the outage, according to a company FAQ page.
Advertisement
Retailers Must Prepare for Direct and In-Direct Attacks
Details on the nature of the Victoria’s Secret cyber attack haven’t been disclosed, but the security breech points to a worrying trend following similar incidents at other retailers this month.
“The recent security incident at Victoria’s Secret, following a string of attacks on other retailers, suggests a potentially coordinated campaign targeting the retail sector,” Javvad Malik, Lead Security Awareness Advocate at cybersecurity consultancy and training firm KnowBe4 in comments shared with Retail TouchPoints. “While information remains limited at this point, suspending website functionality is not a decision that organizations take lightly. In the retail sector, where customer trust is paramount, embedding security awareness across all levels of the business is crucial. This culture should emphasize not only technological defenses but also staff vigilance to act swiftly when threats are detected.”
In addition to damaging customer trust, cyber attacks can have very real financial impacts. A sustained cyber attack on British retailer Marks & Spencer earlier in the month, which was linked to hacking group known as Scattered Spider, cost the company millions of pounds each day, according to The Guardian.
The financial impact on Victoria’s Secret is not yet known, but as Malik indicated, shutting down its website will no doubt have significant financial ramifications and highlights the difficult decisions retailers must make when facing these attacks.
Earlier this month, Adidas fell victim to an attack on its third-party customer service provider resulting in the leak of personal data from customers who had contacted its help desk.
The Adidas attack highlights an additional vulnerability for retailers beyond their own systems: “This demonstrates how critical it is for organizations to have oversight of their supplier cybersecurity posture,” said Siân John, Chief Technology Officer at cybersecurity consulting firm NCC Group, in comments shared with Retail TouchPoints. “Global brands [are often] at the center of a vast network of third parties and they are only as strong as their weakest link, so they must collaborate with partners and suppliers to build a robust ecosystem around them.”
Customer Data Makes Retailers an ‘Attractive Target’
This puts an immense amount of pressure on retailers’ already busy technology teams, said Jon Bance, COO at UK-based technology consultancy Leading Resolutions: “The scope of CIOs is stretched more than ever between addressing critical security and AI innovation, amid macroeconomics that continue to worsen,” he said in comments shared with Retail TouchPoints. “Safeguarding against cyber attacks must be a continuous, forefront goal that the U.K.’s National Cyber Security Centre and even Cabinet officials are emphasizing as a business priority.”
The same advice holds true around the globe. In fact, new research from Fastly indicates that retailers and ecommerce businesses are particularly vulnerable to cyber attacks, with no other industry at a greater risk of data loss — 46% of security professionals at retailers reported experiencing data loss as the direct result of cyber attacks in the last year, and retailers that had experienced attacks within the last 12 months averaged a loss of more than 10% of their annual revenue. Network outages (38%), customer account compromises (25%), and loss of client trust and satisfaction (both 23%) were other common damages caused by security breaches, according to resondents.
“Retailers handle a huge amount of critical information every time a customer makes a purchase,” said Sean Leach, VP of Technology at Fastly, in a statement. “They are trusted by their customers to store this information — bank details, individual addresses and more — securely. But handling this sensitive data also makes retailers an extremely attractive target for bad actors. Recovering from a security breach is hugely complicated in this sector. Beyond the potential up-front financial loss, personal data being compromised results in a significant loss of trust, causing major reputational damage that can have a significant long-term impact on a business’ bottom line.”
