On June 3rd, major clothing retailer Victoria’s Secret disclosed a cybersecurity incident affecting the company’s information technology (IT) systems. The attack led to Victoria’s Secret shutting down their website from May 26th to 29th while response protocols were initiated. The website and stores are currently operating. Victoria’s Secret put out an official press release stating that the breach did not lead to a material disruption in the company’s operations, and that steps were taken to “contain and eradicate unauthorized network access.” They also stated that while the incident did not have an effect on first-quarter financial results, it did temporarily cut off certain systems needed to release the results.
A Pattern of Retail Breaches Emerges
The Victoria’s Secret attack is not an isolated incident, but the latest in a pattern of attacks against leading retailers, especially fashion and luxury stores. Recent cybersecurity disclosures from companies like Dior and Adidas demonstrate a disturbing trend of cyberattacks targeting the systems and data of major retailers.
This is not a problem only targeting American companies: in the United Kingdom, recent attacks tied to the ransomware service DragonForce have breached several retailers including Harrods, Co-op, and Marks & Spencer. This wave of incidents is part of a sustained pattern of attacks targeting large fashion and retail organizations, taking advantage of weak security measures to breach valuable and sensitive data and systems.
Suspect: Scattered Spider Enters the Frame
The group behind the 2023 attacks against MGM Resorts International and Caesars Entertainment, known as Scattered Spider, is tied to the DragonForce ransomware attacks in the UK. The Victoria’s Secret breach has not yet been directly linked to the group, but the attack comes very shortly after a warning from Google’s threat intelligence that Scattered Spider would be targeting US retailers.
Scattered Spider is a young, agile, and highly disruptive hacking group, launching financially motivated ransomware attacks against many large companies. The connection between the 2023 casino attacks and the recent UK attacks, as well as the links to Scattered Spider and DragonForce, make law enforcement see the group as likely players in the Victoria’s Secret breach.
The Retail Cyber Gap
The recent spate of attacks and the longer-term pattern of threats targeting retailers are indicative of a widespread lack of effective security in the retail sector. As a result of the massive explosion of online retailing, digital innovation has outpaced investment in cybersecurity tools and policies. Retailers of all sizes have had to push further into the digital sphere to keep up with market trends and consumer demands, and many massive retailers have done so without taking the necessary steps to secure their interconnected systems or large volumes of sensitive enterprise, employee, and customer information.
The use of legacy systems that are ill-equipped for modern threats, third-party services introducing unknown vulnerabilities through unmonitored access points, and mismanagement of identity and access authorizations and permissions add to the challenges of securing retail organizations against attacks. Customer-facing platforms and deeply interconnected global supply chains also open companies up to attacks from additional sides that are difficult to effectively defend.
Fallout and Risks for Consumers
It is unclear what the scope of the stolen data is, but patterns from the line of attacks suggest there is a potential that valuable customer data may be at risk. An attack like this on such a major retailer leads to the erosion of public trust and concerns about the reputation of the brand. Regulatory and legal consequences are likely to follow as the full scope and fallout of the incident are determined and the investigation is carried out.
“Customers of Victoria’s Secret, especially those with accounts in the company’s online system, should proceed with caution and take proactive steps to prevent the misuse of their data,” says Darren Guccione, CEO and Co-Founder at Keeper Security, a Chicago-based provider of zero-trust and zero-knowledge cybersecurity software. Those steps include using a password manager, implementing multi-factor authentication, and investing in a monitoring service that alerts consumers to take action if their information is found on the dark web.
Rethinking Security in Retail
To mitigate the risks of attacks like this on major retailers and other companies, it is crucial to prioritize the maintenance of an effective security strategy. It is important to take steps to implement measures like identity-first security, zero trust infrastructure, and policies like the principle of least privilege.
Cyber resilience and breach readiness planning are essential to ensure the ability to effectively contain, respond to, and bounce back from any potential attacks. The path to a more resilient retail sector requires industry collaboration, threat intelligence sharing, and proactive defense strategies to prevent data breaches.
