Victoria’s Secret took down its United States website after a security incident. BBC News was informed by the police that Scattered Spider, a hacking crime group, is among the suspects. While the website appears to be restored, it previously was replaced with a customer notice stating the organization was “working around the clock to fully restore operations.”  

Security Leaders Weigh In

Darren Guccione, CEO and Co-Founder at Keeper Security:

Cyberattacks are global threats, rarely limited to one nation or region. As Google Threat Intelligence reported, the international spread of the large-scale attacks on major U.K. retailers were to be treated as a “not if, but when” threat for retailers in other regions. The recently-disclosed Memorial Day Weekend attack on Victoria’s Secret matches many of the patterns demonstrated in the breaches on U.K. companies like Harrod’s and Co-op, which may indicate the arrival of the Scattered Spider hacking group in America.

These breaches demonstrate the necessity of proactive cyber strategies. Privileged Access Management (PAM) is one available and reliable defense against cyber threats that will also protect critical resources in the event of a successful attack. Features like automated password rotation and just-in-time access limit a cybercriminal’s ability to gather or steal data, while session monitoring and recording can allow organizations to identify the root cause of a breach. By providing visibility and access management across the entire organization, PAM solutions limit access sprawl, which significantly minimizes the impact of any breach. 

Customers of Victoria’s Secret, especially those with accounts in the company’s online system, should proceed with caution and take proactive steps to prevent the misuse of their data. Attacks like these highlight the critical need to use a password manager as a first line of defense. Account protection begins with a secure password that is not easily guessed and has not been used for any other accounts. A password manager creates high-strength random passwords for every website, application and system. Further, it enables strong forms of MFA, such as an authenticator app, to add layers of protection to your accounts and make it significantly harder for bad actors to gain unauthorized access. Additionally, a dark web monitoring service can alert you if your information shows up on the dark web so that you can take immediate action in real time.

Ben Hutchison, Associate Principal Consultant at Black Duck:

Unfortunately, it is not uncommon for a particular industry sector and classes of organizations to suffer from a wave of similar attacks or seemingly targeted attacks in phases of threat actor operations. They may be considered “victims of the moment,” as unfortunately once a particular attack or threat actor group has been successful in compromising a specific target/sector, this can serve as motivation both for others to engage in similar efforts and for the specific threat actor to double down on their efforts and launch attacks against similar targets. Given the recent rising trend in attacks targeting retail organizations and high street stores, such organizations should treat this as a wakeup call to ensure they are prioritizing their cybersecurity and digital resiliency.

Haviv Rosh, Chief Technology Officer at Pathlock:

The recent expanding campaign against U.S. retailers, including Adidas, highlights a critical need for CISOs to operate under an “assume breach is inevitable” mindset. Today’s cybercrime gangs aren’t just technically skilled — they’re socially creative and relentlessly focused. The question isn’t if they get in, but what happens next.

Specifically, security leaders should incorporate a strategy grounded on three key elements:

First, they should identify crown-jewel assets — the systems and data that drive revenue, trust, or operations. Second, segmenting and isolating critical workloads is important to prevent lateral movement. Third, they must invest in recovery-first infrastructure. This task includes having in place immutable backups with fast restore capability. It also assumes incorporating infrastructure-as-code to redeploy environments quickly. Lastly, serverless or container-based services for modular failover, as well as privileged access governance with real-time audit and drift detection, are essential.

And the final yet critical element of this strategy is continuously testing resilience under real-world conditions. If you don’t test it, it won’t work when it matters. Tabletop exercises, red team drills and recovery dry-runs must be a standard practice.

The modern security program isn’t defined by how many attacks it blocks, but by how confidently it recovers when hit. Resilience is now the most important control.