This story was first published on SESO’s sister brand Retail TouchPoints.
Following a cyber attack last week that prompted Victoria’s Secret to shut down its website and pause some in-store services, both The North Face and Cartier have reported attacks as well, multiple sources report. Both brands said that customer data was stolen, including names and emails, in the separate hacking events.
They are not alone. Other brands and retailers that reported cyber attacks this month include Marks & Spencer, Dior, Harrods and Adidas.
The security breaches point to a worrying trend in the retail sector.
“The recent security incident at Victoria’s Secret, following a string of attacks on other retailers, suggests a potentially coordinated campaign targeting the retail sector,” said Javvad Malik, lead security awareness advocate at cybersecurity consultancy and training firm KnowBe4 in comments shared with Shop Eat Surf Outdoor’s sister brand Retail TouchPoints. “While information remains limited at this point, suspending website functionality is not a decision that organizations take lightly. In the retail sector, where customer trust is paramount, embedding security awareness across all levels of the business is crucial. This culture should emphasize not only technological defenses but also staff vigilance to act swiftly when threats are detected.”
The North Face, which is owned by VF Corp., shared with customers that it had suffered a “small-scale” attack on its website in April. The attack was the result of “credential stuffing,” a type of hack where account information obtained through a different data breach is used to access other companies’ systems, working under the assumption that consumers will repurpose log-in details across multiple accounts. The North Face assured customers that no financial details were stolen in the attack.
Luxury brand Cartier also shared in an email to customers that “an unauthorized party gained temporary access to our system and obtained limited information.” That attack also resulted in theft of customer information, including details such as products purchased, shipping address, birth date and telephone number.
At the same time, Victoria’s Secret announced that it was delaying the reporting of its fiscal 2025 Q1 results as a result of the attack on its systems last week. While the attack did not have any impact on the company’s Q1 results, with the quarter having closed on May 3, Victoria’s Secret said that the restoration process following the attack has barred employees from accessing systems needed to report its financial results. A new date for the company’s earnings release has not yet been set.
While Q1 earnings are expected to fall at or above the high end of its previous guidance, Victoria’s Secret also cautioned that the attack in late May might lead to financial impacts in Q2 and beyond.
On May 29 the Victoria’s Secret website featured a message that the site had been shut down due to a “security incident,” however, consumer commentary online indicates that website outages may have started much earlier in the week. Victoria’s Secret later confirmed in a statement issued on June 3 that the shut down had extended from May 26 through May 29.
Stores remained open throughout the outage, although some in-store services also were paused during the incident.
Retailers Must Prepare for Direct and In-Direct Attacks
In addition to damaging customer trust, cyber attacks can have very real financial impacts. A sustained cyber attack on British retailer Marks & Spencer earlier in the month, which was linked to hacking group known as Scattered Spider, cost the company millions of pounds each day, according to The Guardian.
Earlier this month, Adidas fell victim to an attack on its third-party customer service provider resulting in the leak of personal data from customers who had contacted its help desk.
The Adidas attack highlights an additional vulnerability for retailers beyond their own systems: “This demonstrates how critical it is for organizations to have oversight of their supplier cybersecurity posture,” said Siân John, Chief Technology Officer at cybersecurity consulting firm NCC Group, in comments shared with Retail TouchPoints. “Global brands [are often] at the center of a vast network of third parties and they are only as strong as their weakest link, so they must collaborate with partners and suppliers to build a robust ecosystem around them.”
Customer Data Makes Retailers an ‘Attractive Target’
This puts an immense amount of pressure on retailers’ already busy technology teams, said Jon Bance, COO at UK-based technology consultancy Leading Resolutions: “The scope of CIOs is stretched more than ever between addressing critical security and AI innovation, amid macroeconomics that continue to worsen,” he said in comments shared with Retail TouchPoints. “Safeguarding against cyber attacks must be a continuous, forefront goal that the U.K.’s National Cyber Security Centre and even Cabinet officials are emphasizing as a business priority.”
The same advice holds true around the globe. In fact, new research from Fastly indicates that retailers and ecommerce businesses are particularly vulnerable to cyber attacks, with no other industry at a greater risk of data loss — 46% of security professionals at retailers reported experiencing data loss as the direct result of cyber attacks in the last year, and retailers that had experienced attacks within the last 12 months averaged a loss of more than 10% of their annual revenue. Network outages (38%), customer account compromises (25%), and loss of client trust and satisfaction (both 23%) were other common damages caused by security breaches, according to respondents.
“Retailers handle a huge amount of critical information every time a customer makes a purchase,” said Sean Leach, VP of Technology at Fastly, in a statement. “They are trusted by their customers to store this information — bank details, individual addresses and more — securely. But handling this sensitive data also makes retailers an extremely attractive target for bad actors. Recovering from a security breach is hugely complicated in this sector. Beyond the potential up-front financial loss, personal data being compromised results in a significant loss of trust, causing major reputational damage that can have a significant long-term impact on a business’ bottom line.”
