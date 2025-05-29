from the overexposure dept.
Underwear retailer Victoria's Secret's website has been down for three days, with the company blaming an unspecified security problem.
"We identified and are taking steps to address a security incident," a spokesperson told The Register. "We immediately enacted our response protocols, third-party experts are engaged, and we took down our website and some in-store services as a precaution. We are working to quickly and securely restore operations."
As of 5.30 pm San Francisco time on Wednesday, the website displays a similar message on a pink background - and nothing else.
The company declined to respond to our questions about a possible ransomware infection, the timeline of the problems, or whether it has asked police to investigate.
A spokesperson did confirm that its 800-plus real-world stores are open and operating as normal. That means the company can accept payments, suggesting this security incident impacts other systems.
According to the retailer's most recent annual report its online arm brought in just over $2 billion last year and accounted for around a third of its revenue.
The situation has therefore spooked investors, who sent the company's stock price down almost seven percent on Wednesday.
This is exactly the kind of scenario that digital extortionists like because it puts extra pressure on the victim to pay up.
The timing of the shutdown is also interesting. Attackers are known to hit their targets on public holidays like Monday's US Memorial Day, as IT departments are short-staffed and therefore less able to mount a defense.
Retailers have had rotten time of it lately on the cyber-safety front.
In the last six weeks three major UK retail chains - Marks and Spencer, Harrods, and the Co-op - have all suffered attacks. In the case of Marks and Spencer the company reports that online operations are still being disrupted and warned investors that the cost of the incident was now £300 million ($404 million).
Earlier this month, Google's infosec outfit Mandiant warned that some threat groups, including Scattered Spider, are moving against US retailers after scoring successes in the UK.
