Victoria’s Secret has taken down its U.S. website and says some in-store services will also be unavailable as it addresses an unspecified “security incident.”
A message to customers remained in place of the popular lingerie brand’s normal shopping site Thursday, stating that the Ohio-based company had halted these operations “as a precaution.”
“Our team is working around the clock to fully restore operations,” the message read. “We appreciate your patience during this process.”
Victoria’s Secret did not provide many details about the security incident, or directly confirm whether it was a cyber or ransomware attack.
“We identified and are taking steps to address a security incident,” a Victoria’s Secret spokesperson said in a statement to CBS News. “We immediately enacted our response protocols, third-party experts are engaged, and we took down our website and some in store services as a precaution. We are working to quickly and securely restore operations.”
Victoria’s Secret also didn’t specify when it first identified the issue and began pulling back services. Most media reports of the retailer’s website going dark emerged Wednesday – when the company also shared an update on social media – but some frustrated customers online said they began experiencing issues earlier in the week, as far back as Monday.
An FAQ on the corporate site for Victoria’s Secret notes that the company doesn’t have an estimate for when its site will be back up. Its customer care services were also offline as of Wednesday night.
The company added that it is trying to fulfill orders placed before Monday and that it would be extending return windows and some direct mail coupon offers for impacted customers in the U.S.
Victoria’s Secret said its stores, as well as its PINK brand locations, remain open for customers. But some in-store services – such as returning online orders in person – are unavailable per its customer FAQ.
It was not immediately clear if any in-store services in Victoria’s Secret locations outside the U.S. were also impacted. But the company’s U.K. site appeared uninterrupted Thursday.
Bloomberg News reported that Victoria’s Secret also stopped some of its office operations and that some employees were locked out of their company email accounts on Wednesday, citing an anonymous source familiar with the matter.
Shares for Victoria’s Secret tumbled about 4% as of midday Thursday.
While not confirmed by the company, the “security incident” impacting Victoria’s Secret’s operations bears all the hallmarks of a cyberattack. And it arrives as more and more companies report breaches that disrupt operations and/or expose customer data.
Last week, for example, Adidas announced that it had recently become aware of an “unauthorized external party” obtaining some consumer data – mostly consisting of contact information – through a third-party customer service provider. The German shoe and clothing company said it would be informing impacted customers and working with law enforcement.
And several British retailers – Marks & Spencer, Harrods and Co-op – have all shared that they’ve been targeted by cyberattacks over recent weeks. The cyberattack hitting M&S stopped it from processing online orders and left store shelves empty, with the company estimating that this will cost it 300 million pounds ($400 million).
And following any cybersecurity incident impacting a consumer-facing brand, experts warn that it’s important for shoppers to be alert. Fraudsters might promise fake promotions through phishing emails, for example, or use sensitive information that may have been compromised.
