A series of major cyber incidents have hit many global retail firms, with Victoria’s Secret and Adidas the latest to confirm data-related disruptions. The attacks have raised growing concerns about cybersecurity in the retail sector, as more companies reveal breaches affecting customer data and online services.
Victoria’s Secret, one of the world’s leading lingerie brands, unexpectedly shut down its US website on Wednesday following a cyberattack. The site remained offline on Thursday, with some in-store systems also disabled. Frustrated shoppers took to social media to share their concerns and complaints, particularly around not being able to track orders or access customer service.
In a statement shared via Instagram, the company said: “Valued customer, we identified and are taking steps to address a security incident. We have taken down our website and some in-store services as a precaution. Our team is working around the clock to fully restore operations. We appreciate your patience during this process. In the meantime, our Victoria’s Secret and PINK stores remain open, and we look forward to serving you.”
Visitors to the US website are met with the same message. The UK version of the site remains unaffected. The retailer, which is headquartered in Ohio and runs more than 1,350 stores in 70 countries, has not disclosed the nature of the incident. However, extended downtime has sparked speculation that it may be a ransomware attack. Its share price dropped by around 7% on the day the news first broke.
Adidas has also confirmed a data breach linked to a third-party service provider. The company revealed that an unauthorised external party accessed customer data through a vendor that handles customer service queries. The affected information includes contact details of customers who had previously contacted Adidas support, but the company stressed that no passwords or payment data were compromised.
Adidas released a statement saying, “adidas recently became aware that an unauthorized external party obtained certain consumer data through a third-party customer service provider. We immediately took steps to contain the incident and launched a comprehensive investigation, collaborating with leading information security experts.The affected data does not contain passwords, credit card or any other payment-related information. It mainly consists of contact information relating to consumers who had contacted our customer service help desk in the past. adidas is in the process of informing potentially affected consumers as well as appropriate data protection and law enforcement authorities consistent with applicable law. We remain fully committed to protecting the privacy and security of our consumers, and sincerely regret any inconvenience or concern caused by this incident.”
Commenting on the breach, Jonathan Stross, SAP Security Analyst at Pathlock, said: “This breach underscores the importance of establishing quality gates and data loss prevention for third-party software. While the company’s developments are being secured through agile processes and code reviews, third-party software tends to be blindly trusted.”
He added that customers should remain vigilant for phishing scams and identity fraud: “Affected customers should watch out for unsolicited messages, spam, and in general, unusual traffic. Attackers may use this to launch phishing attempts. Even though financial data wasn’t leaked, contact information can still be used for identity fraud.”
These latest incidents follow similar cyberattacks on major UK retailers, including Marks & Spencer, Co-op, and Harrods. M&S has estimated its losses from a recent hack at around £300 million, roughly a third of its annual profit. Co-op also reported major disruptions, including empty shelves and payment issues.
UK police are currently investigating a cybercrime group known as Scattered Spider, believed to be behind the M&S attack and potentially others involving Co-op and Harrods. While there is no confirmed link between this group and the Adidas breach, the scale and frequency of these incidents have left many experts concerned.
Vonny Gamot from online security firm McAfee advised: “Even if you haven’t received notification from the brand or retailer which has been impacted, assume your information may have been compromised if you’ve been a customer. Companies often take weeks to identify all affected individuals.”
As the retail sector continues to grapple with rising cyber threats, customers are being urged to take precautionary steps and stay alert.
