Victoria’s Secret said Tuesday that it is postponing the release of its fiscal first quarter earnings report as a previously disclosed cyberattack prevents employees from accessing certain systems needed to produce the information.
The fashion retailer said on May 24 that it had experienced a data breach, leading it to temporarily shut down corporate systems and its website. The company hired third-party forensic experts to help investigate the attack
The company restored access to its website on May 29 but is still working to repair its corporate systems, it said in a Securities and Exchange Commission filing. The hack also affected certain functions at Victoria’s Secret and PINK retail stores, but most of those operations are back up and running.
The hack did not affect Victoria’s Secret’s fiscal first quarter, which ended on May 3, the company said. Results from the quarter were near or exceeded the high end of the company’s financial outlook.
However, Victoria’s Secret is continuing to assess the impact of the breach with the help of its audit committee.
While the breach has not caused a material disruption, Victoria’s Secret said, it has incurred and will continue to incur expenses that could negatively affect future financial results, including during the fiscal second quarter.
The severity of the hack raises additional questions about the threat from the cybercrime gang known as Scattered Spider. Security researchers suspect the group is behind a series of attacks against U.K. retailers, including Harrod’s, the Marks & Spencer department store chain and Co-op. M&S said its hack will cost it upward of $400 million.
Mandiant researchers recently warned that the same threat actor was targeting multiple U.S. retailers. Mandiant could not make a formal attribution, but it considers Scattered Spider the likely culprit, and earlier in May, it released guidance to prevent intrusions by the group, which is known to be highly skilled at using social-engineering tactics to gain access.
Mandiant confirmed in May that hackers had breached multiple U.S. retailers during last month’s hacking spree, but researchers did not name any of the victims.
Since those attacks began in April, a series of incidents have targeted high-profile retail and fashion brands. Cartier on Tuesday disclosed that an unauthorized actor gained temporary access to its systems and stole some customer data.
“What makes this trend particularly alarming is its scale and coordination,” said Adam Marrè, CISO at Arctic Wolf. “It is not confined to one geography or the result of isolated incidents. Instead, we are seeing a pattern that suggests a deliberate campaign against the retail sector.”
House of Dior in mid-May confirmed to Cybersecurity Dive via email that it was investigating a breach that resulted in the theft of customer records. The company said the theft did not include financial information but that it was still notifying customers. Adidas on May 23 also confirmed a breach related to the hack of a third-party customer service provider that it did not name.
The North Face, through its parent company VF Corp., also disclosed an attack with the Vermont Attorney General. The attack was a small credential stuffing incident and took place in April, which is prior to the spree that began to impact major retailers in the U.S.
