Victoria’s Secret is postponing the release of its quarterly earnings following a security breach that disrupted the popular lingerie brand’s corporate operations and led it to take down its US shopping site for several days last week.
In a Tuesday update, Victoria’s Secret said it first detected a “security incident involving its information technology systems” on May 24 — and immediately turned to response protocols in effects “to contain and eradicate unauthorized network access,” which included engaging with third-party experts.
The Ohio-based retailer added that it temporarily shut down corporate systems and its retail website on May 26 “as a precaution.”
The Victoria’s Secret website in the US stayed dark for several days after, sparking prolonged frustration among shoppers.
It wasn’t back online until late Thursday.
While not directly confirmed by Victoria’s Secret, the incident bore hallmarks of a cyberattack involving ransomware.
Analysts note that more and more retailers are facing these kinds of attacks today — and pointed to the reach and length of disruptions impacting Victoria’s Secret’s operations.
Beyond its website, some in-store services at Victoria’s Secret namesake and Pink-branded locations were also shut down due to breach.
But on Tuesday, the company said most of those functions had since been restored.
Victoria’s Secret also said Tuesday that it’s still working to fully restore access to its corporate systems, which is why it’s delaying its first-quarter earnings — noting that the process has “prevented employees from accessing certain systems and information” needed to finalize and release the financial report.
Still, the company shared some preliminary results.
For its first quarter of 2025, which ended May 3, Victoria’s Secret now expects to report $1.35 billion in net sales and an adjusted operating income of $32 million, exceeding previously-issued guidance.
Analysts surveyed by FactSet expect sales of about $1.33 billion, on average.
Victoria’s Secret did not immediately share a new date for the release of its first quarter earnings.
Victoria’s Secret maintained that last month’s breach did not impact its first quarter results, as the period ended before the breach caused disruptions.
But the company said it would continue to “assess the full scope” of the incident, including expenses that might impact future finances.
The “security incident” impacting Victoria’s Secret arrives as more and more companies report breaches that disrupt operations and/or expose customer data, particularly among retailers.
Several British retailers — Marks & Spencer, Harrods and Co-op — have all shared that they’ve been targeted by cyberattacks over recent weeks, for example.
The cyberattack hitting M&S stopped it from processing online orders and left store shelves empty, with the company estimating that this will cost it 300 million pounds ($400 million).
And last month, Adidas announced that it had recently become aware of an “unauthorized external party” obtaining some consumer data — mostly consisting of contact information — through a third-party customer service provider.
Following any cybersecurity incident impacting a consumer-facing brand, experts warn that it’s important for shoppers to be alert.
Fraudsters might take advantage of the news to promise fake promotions through phishing emails, for example, or use sensitive information that may have been compromised.
