Victoria’s Secret & Co. Vendor Cyber Rating & Cyber Score

victoriassecret.com
ISOSOC2 Type 1SOC2 Type 2PCI DSSHIPAAGDPR

Victoria’s Secret & Co. (NYSE: VSCO) is a specialty retailer of modern, fashion-inspired collections including signature bras, panties, lingerie, casual sleepwear, athleisure and swim, as well as award-winning prestige fragrances and body care. VS&Co is comprised of market leading brands, Victoria’s Secret and Victoria’s Secret PINK, that share a common purpose of supporting women in all they do, and Adore Me, a technology-led, digital-first innovative intimates brand serving women of all sizes and budgets at all phases of life. We are committed to empowering our nearly 30,000 associates across a global footprint of more than 1,350 retail stores in nearly 70 countries. We strive to provide the best products to help women express their confidence, sexiness and power and use our platform to create connection and community while celebrating the extraordinary diversity of women’s experiences.

Victoria’s Secret & Co. A.I CyberSecurity Scoring

VSC

Company Details

Linkedin ID:

victoria's-secret

Website:

http://careers.victoriassecret.com

Employees number:

29,040

Number of followers:

705,186

NAICS:

43

Industry Type:

Retail

Homepage:

victoriassecret.com

IP Addresses:

Scan still pending

Company ID:

VIC_1226201

Scan Status:

In-progress

AI scoreVSC Risk Score (AI oriented)

Between 600 and 649

https://images.rankiteo.com/companyimages/victoria's-secret.jpeg
VSC Retail
Updated:
  • Powered by our proprietary A.I cyber incident model
  • Insurance preferes TPRM score to calculate premium
Get a Score Increase
globalscoreVSC Global Score (TPRM)

XXXX

https://images.rankiteo.com/companyimages/victoria's-secret.jpeg
VSC Retail
  • Instant access to detailed risk factors
  • Benchmark vs. industry & size peers
  • Vulnerabilities
  • Findings

Victoria’s Secret & Co.

Poor
Current Score
640
Caa (Poor)
01000
4 incidents
-43.33 avg impact

Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.

APRIL 2026
640
MARCH 2026
637
FEBRUARY 2026
636
JANUARY 2026
725
DECEMBER 2025
639
NOVEMBER 2025
638
OCTOBER 2025
636
SEPTEMBER 2025
633
AUGUST 2025
644
Cyber Attack
01 Aug 2025 • Victoria's Secret
Scattered Spider Cybercrime Collective Resurfaces with New Telegram Channel

In early August 2025, the cybercrime collective Scattered Spider publicly exposed screenshots of console access to Victoria's Secret systems, indicating unauthorized access and potential data exfiltration. The group, collaborating with other extortion factions like ShinyHunters and Lapsus$, shared partial customer data samples, suggesting a breach of sensitive information. The attack involved spear-phishing and exploited VPN credentials, followed by in-memory execution of malicious payloads to evade detection. The incident highlights the group's shift toward real-time data theft and extortion, posing significant risks to the company's customer data and operational security.

627
critical -17
VIC209081225
Incident Details -
Type
Data Exfiltration, Ransomware, Extortion
Attack Vector
Spear-phishing, Exploited VPN credentials
Vulnerability Exploited
Windows kernel vulnerabilities
Motivation
Financial gain, Extortion
Impact
Data Compromised: Customer data, Corporate documents, Server listings, Court filings Operational Impact: High alarm across industries Brand Reputation Impact: Significant due to public exposure Identity Theft Risk: High
Data Breach
Type Of Data Compromised: Customer data, Corporate documents, Server listings, Court filings Sensitivity Of Data: High Data Exfiltration: Yes Personally Identifiable Information: Yes
Initial Access Broker
Entry Point: Spear-phishing, Exploited VPN credentials High Value Targets: Victoria’s Secret, Gucci, Neiman Marcus, Chanel, Disney, S&P Global, T-Mobile, Nvidia, Otelier, Coinbase, Burger King Brazil, Adidas, Cisco, U.S. Department of Homeland Security, U.K. Ministry of Justice Data Sold On Dark Web: Yes
Post Incident Analysis
Root Causes: Spear-phishing, Exploited VPN credentials, Windows kernel vulnerabilities
References
Blog URL Source URL
JULY 2025
644
JUNE 2025
735
Breach
13 Jun 2025 • Cartier, Marks & Spencer and Victoria’s Secret: UPDATE: May Cyber Attack Expected to Cost Victoria’s Secret $20 Million
Retail Cyberattacks Surge: Victoria’s Secret, The North Face, and Cartier Among Latest Victims

**Retail Cyberattacks Surge: Victoria’s Secret, The North Face, and Cartier Among Latest Victims** A wave of cyberattacks has targeted major retailers in recent weeks, disrupting operations and exposing customer data. Victoria’s Secret, The North Face, and Cartier are among the latest brands to report security breaches, highlighting the growing threat to the retail sector. **Victoria’s Secret Hit by Undisclosed Cyberattack** Victoria’s Secret experienced a security incident in late May, forcing the company to shut down its website and pause some in-store services from **May 26 to May 29, 2025**. While stores remained open, the outage delayed the company’s fiscal Q1 earnings report, though financial results released on **June 11** showed net sales of **$1.35 billion**, exceeding expectations. However, the breach is projected to cost the company **$20 million in Q2 net sales** due to service disruptions. **The North Face and Cartier Report Separate Breaches** The North Face, owned by **VF Corp.**, disclosed a **"small-scale" credential-stuffing attack** in **April 2025**, where hackers used leaked login details from other breaches to access customer accounts. No financial data was compromised, but names and emails were exposed. Luxury brand **Cartier** also confirmed a breach, revealing that an unauthorized party accessed customer data, including **purchase history, shipping addresses, birth dates, and phone numbers**. The company did not specify when the attack occurred. **Retail Sector Under Siege** These incidents follow a string of attacks on other retailers this month, including **Marks & Spencer, Dior, Harrods, and Adidas**. The Adidas breach, linked to a third-party customer service provider, underscored the risks of supply chain vulnerabilities. Cybersecurity experts warn that retailers are prime targets due to the vast amounts of sensitive customer data they handle, with **46% of retail security professionals reporting data loss from attacks in the past year**. The financial and reputational toll is significant companies face **network outages, customer account compromises, and long-term trust erosion**, with some losing over **10% of annual revenue** after breaches. While details of the Victoria’s Secret attack remain undisclosed, the incident reflects a broader trend of **coordinated or opportunistic attacks** on the retail industry.

640
critical -95
VICMARCAR1772649374
Incident Details -
Type
Data Breach Credential Stuffing Cyberattack
Attack Vector
Credential Stuffing Unauthorized Access
Impact
Financial Loss: $20 million in Q2 net sales (projected for Victoria’s Secret) Data Compromised: Customer data including names, emails, purchase history, shipping addresses, birth dates, and phone numbers Websites In-store services Downtime: May 26 to May 29, 2025 (Victoria’s Secret) Operational Impact: Delayed fiscal Q1 earnings report, paused in-store services Brand Reputation Impact: Long-term trust erosion
Response
Shut down website Paused in-store services
Data Breach
Names Emails Purchase history Shipping addresses Birth dates Phone numbers Sensitivity Of Data: High (Personally Identifiable Information) Personally Identifiable Information: Yes
Lessons Learned
Retailers are prime targets due to vast amounts of sensitive customer data; supply chain vulnerabilities pose significant risks.
References
Blog URL Source URL
MAY 2025
751
Cyber Attack
26 May 2025 • Victoria’s Secret
Cyber Attacks on Victoria’s Secret, The North Face, and Cartier (May-June 2025)

Victoria’s Secret experienced a **cyber attack in late May 2025**, forcing the company to shut down its website and pause some in-store services from **May 26 to May 29**. The incident disrupted operations, delayed Q1 financial reporting, and resulted in an estimated **$20 million loss in Q2 net sales** due to service outages. While no customer data breach was explicitly confirmed in the article, the attack caused **significant operational disruption**, including halted online transactions, paused customer care services, and extended return/reward windows to mitigate customer impact. The company’s restoration efforts delayed financial reporting, highlighting the attack’s severity in terms of **business continuity and financial repercussions**. The incident aligns with a broader trend of **targeted retail cyber attacks**, emphasizing vulnerabilities in e-commerce and in-store systems.

733
critical -18
VIC840090225
Incident Details -
Type
Cyber Attack (Victoria’s Secret: unspecified; The North Face: credential stuffing; Cartier: unauthorized access)
Attack Vector
Credential stuffing Unauthorized system access
Vulnerability Exploited
Reused customer credentials from prior breaches
Motivation
Likely financial gain (data theft, potential ransomware, or disruption)
Impact
$20 million (Q2 net sales impact) Customer names and emails Customer names, emails, products purchased, shipping addresses, birth dates, telephone numbers Website Customer Care Services some in-store systems Website Internal systems (temporary access) 2025-05-26 to 2025-05-29 (website and some in-store services) Delayed Q1 2025 financial reporting, extended return/coupon windows $20 million (Q2) High (loss of customer trust, reputational damage across all three brands) Low (no financial data stolen) Moderate (PII including birth dates and addresses exposed) None (explicitly stated no financial details stolen)
Response
Yes (website shutdown, containment measures) Website shutdown pause of some in-store services System restoration extended return/coupon windows Website restored by 2025-05-30 financial reporting delayed to 2025-06-11 Public statement (2025-05-30) FAQ page for customers delayed earnings announcement Customer email notification Customer email notification
Data Breach
Names Emails Names Emails Products purchased Shipping addresses Birth dates Telephone numbers Low (no financial/PII beyond emails) High (PII including addresses and birth dates) Yes Yes Partial (emails only) Yes (names, addresses, birth dates, phone numbers)
Lessons Learned
Retailers are high-value targets for cyber attacks due to vast customer data repositories. Third-party vendor risks (e.g., Adidas’ customer service provider breach) underscore the need for supply chain cybersecurity oversight. Credential stuffing remains a persistent threat, emphasizing the need for multi-factor authentication (MFA) and password hygiene. Proactive incident response plans and customer communication strategies are critical to mitigating reputational and financial damage. Coordinated attacks on the retail sector suggest potential campaign-style threats requiring industry-wide collaboration.
Recommendations
Implement MFA and passwordless authentication to combat credential stuffing. Conduct third-party cybersecurity audits for vendors with access to customer data. Develop and test incident response plans, including website takedown procedures and customer notification templates. Invest in adaptive security measures (e.g., behavioral WAFs, network segmentation) to detect and contain breaches early. Prioritize transparency in post-incident communications to maintain customer trust.
Investigation Status
Ongoing (root cause not disclosed) Completed (attributed to credential stuffing) Ongoing (limited details shared)
Customer Advisories
Website outage notifications (2025-05-26–29) FAQ page with extended policies Email notification to customers about 'small-scale' attack and stolen data (names/emails) Email notification about unauthorized access and compromised PII (names, addresses, etc.)
Stakeholder Advisories
Victoria’s Secret delayed Q1 2025 earnings announcement (2025-06-11) with disclosure of $20M Q2 impact. Extended return and coupon redemption windows for affected customers.
Post Incident Analysis
Credential stuffing due to reused customer passwords from prior breaches Unauthorized system access (method unspecified) System restoration financial reporting delays customer policy extensions
References
Blog URL Source URL
APRIL 2021
785
Breach
13 Apr 2021 • Victoria’s Secret
Victoria's Secret Data Breach

The breach notification was reported by Victoria's Secret on May 13, 2021, regarding unauthorized access to certain personal information in customer online accounts between April 13, 2021, and April 14, 2021. The compromised information included names, email addresses, postal addresses, birthdays (month and day), telephone numbers, and linked gift card details. The company has advised customers to change their passwords and monitor their accounts for suspicious activity.

718
critical -67
VIC627072725
Incident Details -
Type
Data Breach
Attack Vector
Unauthorized Access
Impact
names email addresses postal addresses birthdays (month and day) telephone numbers linked gift card details
Response
Advised customers to change their passwords and monitor their accounts for suspicious activity
Data Breach
Personal Information names email addresses postal addresses birthdays (month and day) telephone numbers
Customer Advisories
Advised customers to change their passwords and monitor their accounts for suspicious activity
References
Blog URL Source URL

Frequently Asked Questions

According to Rankiteo, the current A.I.-based Cyber Score for Victoria’s Secret & Co. is 640, which corresponds to a Poor rating.

According to Rankiteo, the A.I. Rankiteo Cyber Score for March 2026 was 637.

According to Rankiteo, the A.I. Rankiteo Cyber Score for February 2026 was 636.

According to Rankiteo, the A.I. Rankiteo Cyber Score for January 2026 was 725.

According to Rankiteo, the A.I. Rankiteo Cyber Score for December 2025 was 639.

According to Rankiteo, the A.I. Rankiteo Cyber Score for November 2025 was 638.

According to Rankiteo, the A.I. Rankiteo Cyber Score for October 2025 was 636.

According to Rankiteo, the A.I. Rankiteo Cyber Score for September 2025 was 633.

According to Rankiteo, the A.I. Rankiteo Cyber Score for August 2025 was 627.

According to Rankiteo, the A.I. Rankiteo Cyber Score for July 2025 was 644.

According to Rankiteo, the A.I. Rankiteo Cyber Score for June 2025 was 735.

According to Rankiteo, the A.I. Rankiteo Cyber Score for May 2025 was 751.

Over the past 12 months, the average per-incident point impact on Victoria’s Secret & Co.’s A.I Rankiteo Cyber Score has been -43.33 points.

You can access Victoria’s Secret & Co.’s cyber incident details on Rankiteo by visiting the following link: https://www.rankiteo.com/company/victoria's-secret.

You can find the summary of the A.I Rankiteo Risk Scoring methodology on Rankiteo by visiting the following link: Rankiteo Algorithm.

You can view Victoria’s Secret & Co.’s profile page on Rankiteo by visiting the following link: https://www.rankiteo.com/company/victoria's-secret.

With scores of 18.5/20 from OpenAI ChatGPT, 20/20 from Mistral AI, and 17/20 from Claude AI, the A.I. Rankiteo Risk Scoring methodology is validated as a market leader.