Lingerie and apparel retailer Victoria’s Secret suffered a significant cyberattack in May 2025 that forced the company to take its website offline for days and disrupted operations at retail stores nationwide. The breach is expected to cost the company approximately $20 million in lost sales, and a class action lawsuit alleges the attack exposed sensitive customer data including Social Security numbers, financial account information, and government ID numbers.
Learn what to do if your personal data is exposed in a breach on OpenClassActions.com.
What Happened
Around May 26, 2025, Victoria’s Secret detected suspicious unauthorized access to its information technology systems. The company immediately shut down its e-commerce website and suspended certain in-store functions at retail locations to contain the intrusion. The website was offline from approximately May 26 to May 29 — spanning the Memorial Day shopping weekend, one of the busiest retail periods of the year.
Third-party cybersecurity experts were engaged to investigate and remediate the incident. Victoria’s Secret & Co. disclosed the breach publicly and acknowledged the attack would result in approximately $20 million in net sales impact in its second fiscal quarter. The company also delayed the release of its first quarter earnings report while systems were being restored.
The attack is linked to a broader wave of cyberattacks on major retailers in spring 2025 attributed to threat actors connected to the Scattered Spider group and the DragonForce ransomware gang. During the same period, UK retailers Marks & Spencer, Co-op, and Harrods were also hit by attacks attributed to the same threat actors — part of a coordinated campaign against the retail sector.
What Data Was Exposed
Victoria’s Secret has not publicly disclosed the full scope of compromised data. However, a class action lawsuit filed in the U.S. District Court for the Southern District of Ohio (Wardle-Burke v. Victoria’s Secret & Co., et al., Case No. 2:25-cv-00618) alleges the breach exposed highly sensitive personal information including:
- Full names and dates of birth
- Social Security numbers
- Driver’s license and state ID numbers
- Passport numbers
- Financial account information
The lawsuit alleges Victoria’s Secret failed to implement basic cybersecurity safeguards including encryption and routine security audits, and did not properly train staff on data protection practices.
Who Is Affected
The class action seeks damages on behalf of a nationwide class of Victoria’s Secret customers whose personal information was exposed in the breach. If you have shopped at Victoria’s Secret or PINK — online or in stores — your data may have been compromised, particularly if you created an account, enrolled in the VS Angels loyalty program, or made purchases that required you to provide personal information.
What You Should Do
If you have a Victoria’s Secret account or are an Angels rewards member, take the following steps immediately:
- Change your password on your Victoria’s Secret account and any other accounts using the same credentials.
- Freeze your credit with all three bureaus — Equifax, Experian, and TransUnion — to prevent new accounts from being opened in your name.
- Monitor your financial accounts for unauthorized transactions.
- Request an IRS Identity Protection PIN at irs.gov/identity-theft-central if your Social Security number was exposed, to prevent tax fraud.
- Watch for phishing emails referencing Victoria’s Secret orders, rewards, or account activity — attackers with your data may send convincing fake messages.
Learn how to report data breach scams and protect yourself on OpenClassActions.com.
This article is for informational purposes only and does not constitute legal advice. Written by Steve Levine for OpenClassActions.org.