Lingerie firm Victoria’s Secret paused online orders in the US and halted some in-store services following a “security incident”, in the latest of a string of cyber-attacks affecting retailers.
Separately, German sportswear giant Adidas said some customer contact information had been stolen following an attack on a third-party customer service provider.
The incidents follow disruption to British retailers Marks & Spencer and the Co-op Group starting in late April after both were hit by cyber-attacks.
Disruption
Victoria’s Secret stopped some office operations and told employees to avoid using company technology as a result of the cyber-attack, according to a Bloomberg report last week.
Some staff lost access to their emails due to the incident, which also affected some operations at distribution centres, the report said.
The Ohio-based company later issued a statement saying it was “working around the clock” to recover from the incident.
“We have taken down our website and some in-store services as a precaution,” the company said.
“Our team is working around the clock to fully restore operations. We appreciate your patience during this process.”
The company’s retail stores and its PINK outlets remained open, the firm said.
Adidas said in a statement that attackers gained access to “certain customer data” through a third-party customer service provider that was not identified.
“We immediately took steps to contain the incident and launched a comprehensive investigation, collaborating with leading information security expert,” the company said, adding that it was informing affected consumers.
It said the data “mainly consists” of the contact information of people who were in touch with its help desk, and that neither payment data nor passwords were compromised.
Scattered Spider
UK law-enforcement authorities recently confirmed they are investigating potential links in the M&S and Co-op attacks to an English-speaking hacking group known as Scattered Spider that is also believed to be behind disruption to Las Vegas casinos in 2023.
The group has a pattern of attacking companies within a single sector before moving on to another one, and often contacts help desk or technical support teams where social engineering techniques are used to obtain passwords or deploy malware, security experts have said.
A M&S internal technical support contractor is reportedly investigating whether it was the means for the attack on the retailer to take place.
Darren Williams, chief executive of cyber-security firm BlackFog, said the fact that the Adidas attack also involved a third-party contractor was a clear signal that organisations “must treat third-party cybersecurity with the same rigor as their own, or risk being the weakest link in a growing chain of attacks”.
