In late May 2025, Victoria’s Secret, a retail giant known for its $2 billion e-commerce engine, became the latest high-profile victim in a wave of sophisticated cyberattacks targeting the retail industry. The sudden takedown of its U.S. website, disruption in in-store services, and employee lockouts signalled not just a technical failure, but a strategic, calculated breach likely executed by a ransomware group. This blog breaks down what happened, who the potential threat actors are, how they pulled it off, and the implications for the broader retail sector.
Source.
What Happened?
Timeline of the Incident:
-
May 25, 2025: User complaints on Reddit and social platforms begin regarding website outages.
-
May 26, 2025: Widespread disruptions in Victoria’s Secret’s U.S. online operations are noted.
-
May 28, 2025: The company takes its U.S. website offline and disables certain in-store services, displaying a message about a “security incident.”
-
May 30, 2025: Stock price drops 7-8%, wiping out millions in market cap.
Impacted areas included:
-
Complete halt in online orders
-
Non-functional employee email accounts and passwords
-
Office and backend systems locked down
-
Suspension of in-store online return processing
Who Was Behind the Attack?
While Victoria’s Secret has not publicly confirmed the identity of the attackers, cybersecurity intelligence and observed patterns suggest the involvement of:
Scattered Spider (UNC3944): Known for their advanced social engineering tactics, this English-speaking group often targets help desks and customer service agents to gain initial access.
DragonForce Ransomware Group: Often working in tandem with initial access brokers like Scattered Spider, DragonForce is known for deploying sophisticated ransomware payloads, using double extortion tactics to steal and encrypt data simultaneously.
Both groups have previously targeted major UK retailers like Marks & Spencer and Harrods in 2025.
How Did It Happen?
Multiple vectors were likely at play:
-
Ransomware: The most probable root cause. The nature of the system lockdown, inaccessibility of internal tools, and prolonged recovery indicate a ransomware encryption and lateral movement.
-
Social Engineering: Scattered Spider is known for tricking employees via fake support calls or phishing emails into providing credentials or MFA tokens, enabling initial entry.
-
Third-Party Exposure: Retailers frequently rely on third-party platforms for logistics, payment processing, and customer service. Misconfigured APIs or vulnerable vendors can serve as an entry point.
-
Timing Strategy: Executing the attack during Memorial Day weekend ensured limited IT oversight, maximising disruption before detection.
Why Was Victoria’s Secret Targeted?
High Transaction Volume: With over $2B in online sales, the brand was a lucrative target for ransomware extortion.
Legacy Infrastructure: Like many large retailers, older backend systems may lack modern defenses.
Global Visibility: The breach ensured media attention, amplifying pressure on Victoria’s Secret to respond quickly and potentially meet ransom demands.
Consequences of the Breach
-
Operational Downtime: Website and in-store systems were offline for several days, affecting customer experience and daily revenue.
-
Financial Loss: Estimated loss in revenue combined with stock devaluation could run into hundreds of millions.
-
Brand Damage: Loss of consumer trust due to perceived lack of preparedness.
-
Data Exposure Risks: While unconfirmed, if customer data were exfiltrated, risks include phishing, fraud, and identity theft.
-
Compliance Fallout: Potential scrutiny from regulators and legal actions due to inadequate safeguards.
What Can Retailers Learn from This?
Harden Identity Access Controls: Ensure strict IAM and least-privilege policies.
Strengthen Employee Awareness: Conduct continuous phishing and social engineering training.
Vendor Risk Management: Audit all third-party integrations and enforce security SLAs.
Implement Real-Time Monitoring: Detect anomalies before they spread across the network.
How Zeron Can Help
Zeron’s Cyber Risk Posture Management (CRPM) platform gives organizations complete visibility into their attack surface and helps them quantify risks in real time. Here’s how we protect businesses like yours:
Attack Surface Management to identify exploitable vulnerabilities before threat actors do.
Cyber Risk Quantification (CRQ) to understand the financial impact of threats.
Third-Party Risk Monitoring (Vendor Pulse) to evaluate vendor-related exposures.
Executive-Level Dashboards for real-time posture updates and incident drill-downs.
Our unified platform is built for organisations that refuse to leave cybersecurity to chance. Want to see how it works? Book a demo with us.
