By WYATTE GRANTHAM-PHILIPS
AP Business Writer
NEW YORK (AP) — Victoria's Secret has taken down its U.S. website and says some in-store services will also be unavailable as it addresses a "security incident."
A message to customers remained in place of the popular lingerie brand's normal shopping site Thursday, stating that it had halted these operations "as a precaution."
"Our team is working around the clock to fully restore operations," the message read.
Ohio-based Victoria's Secret did not provide many details about the "security incident," or directly confirm whether it was a cyber or ransomware attack. When asked for further information Thursday, a spokesperson just said that the company "immediately enacted our response protocols" and has engaged with third-party experts.
Victoria's Secret also didn't specify when it first identified the issue and began pulling back services. Most media reports of the retailer's website going dark emerged Wednesday — when the company also shared an update on social media — but some frustrated customers online said they began experiencing issues earlier in the week, as far back as Monday.
The company doesn't have an estimate for when its site will be back up, an FAQ on the Victoria's Secret corporate site notes. The company added that it is trying to fulfill orders placed before Monday and that it would be extending return windows and some direct mail coupon offers for impacted customers in the U.S.
Victoria's Secret says its stores, as well as its PINK brand locations, remain open for customers. But some in-store services, such as returning online orders in person, were unavailable as of Wednesday night — and as were its online customer care services, per the company's FAQ.
It was not immediately clear if any in-store services in Victoria's Secret locations outside the U.S. were also impacted. But the company's U.K. site appeared uninterrupted Thursday.
Bloomberg News reported that Victoria's Secret also stopped some of its office operations and that some employees were locked out of their company email accounts on Wednesday, citing an anonymous source familiar with the matter.
Shares for Victoria's Secret tumbled about 4% as of midday Thursday.
While not confirmed by the company, the "security incident" impacting Victoria's Secret bears all the hallmarks of a cyberattack. And it arrives as more and more companies report breaches that disrupt operations and/or expose customer data, particuarly among retailers.
Last week, for example, Adidas announced that it had recently become aware of an "unauthorized external party" obtaining some consumer data — mostly consisting of contact information — through a third-party customer service provider. The German shoe and clothing company said it would be informing impacted customers and working with law enforcement.
And several British retailers — Marks & Spencer, Harrods and Co-op — have all shared that they've been targeted by cyberattacks over recent weeks. The cyberattack hitting M&S stopped it from processing online orders and left store shelves empty, with the company estimating that this will cost it 300 million pounds ($400 million).
Following any cybersecurity incident impacting a consumer-facing brand, experts warn that it's important for shoppers to be alert. Fraudsters might promise fake promotions through phishing emails, for example, or use sensitive information that may have been compromised.
The breadth of disruptions impacting Victoria's Secret this week are also "a reminder to businesses of how wide-reaching the fallout can be," Tim Rawlins, senior adviser and director for security at consulting firm NCC Group, said in an emailed note Thursday.
"Halting operations, rather than rushing to bring them back online, is crucial to ensuring patches, recovery efforts, and strengthened cyber security are effective in the long run," he added.