Agenda-setting intelligence, analysis and advice for the global fashion community.
Last week, Victoria’s Secret went dark.
On May 26, the lingerie giant shut down its website following a “security incident,” the company said in a statement. (It did not confirm what caused the disruption). While the site was only down for four days, it likely cost Victoria’s Secret millions in sales, adding another hurdle to its ongoing turnaround plan under new leader Hillary Super. The company’s stock dropped as much as 8 percent the day it closed its site.
It was just the latest technological dustup in a wave of cyberattacks on some of fashion’s biggest brands and retailers. Bloomberg reported that in January hackers accessed some of Dior’s customer data, then in April, UK-based high street retailer Marks & Spencer was forced to stop taking online orders after a security breach and in May, Harrods briefly restricted website access after hackers attempted to break into its systems.
For years, the threat of security breaches — where individuals and organisations hack systems to access customer data such as contact information and credit card details — have haunted companies across industries, from Target to MGM Resorts. The frequency of these attacks is only growing: In 2024, the number of individuals and groups targeting companies’ systems that cybersecurity consultancy S-RM engaged with across 600 incidents grew 96 percent year over year.
ADVERTISEMENT
These attacks can be extremely detrimental to a company’s bottom line: Marks & Spencer still hasn’t reopened its e-commerce operations, and doesn’t expect to do so until July. The incident will likely end up costing the company as much as £300 million ($404 million) in lost profits. But the impact can be even further-reaching. Many cyber criminals require companies to pay multi-million dollar ransoms to regain access to their networks and even once the attack is over, retailers must work to avoid sustaining lasting reputational damage.
The recent uptick in activity puts an extra burden on retailers to tighten existing cybersecurity processes or invest in additional tools that could chip away at profits.
“From a business perspective, it’s nothing if not unfair [to the companies impacted by it],” said Simeon Siegel, managing director and senior analyst of retail and e-commerce at BMO Capital Markets. In the event of a cyber attack, companies have “to balance short term fixes, while ensuring they don’t have [long-term] implications,” he added.
BoF breaks down what leaves fashion businesses vulnerable to cyberattacks and how they can protect themselves.
How does this happen?
Cyberattacks are typically orchestrated by groups that find and exploit a company’s technological shortcomings. The culprit can often be difficult to trace, because even when law enforcement tracks them down, individuals can splinter into other smaller organisations. Criminals can also act individually by finding hacking tools on the dark web, said Christian Beckner, vice president of retail technology and cybersecurity at NRF.
The tactics range in their level of sophistication. One of the common ways hackers infiltrate a company’s systems is through “phishing” — the dreaded emails where, posing as a company executive, they encourage employees to click a link that, if opened, can give them access to an organisation’s entire data network. They can also use employee voice impersonation tools to target a company’s customer service call centres, Beckner said.
“If one employee accidentally clicks a link in an email, it may not matter how protected and up-to-date your technology is,” Siegel said. “Human error can supersede the most advanced technology.”
Cyberattackers will target any industry with high transaction volumes, making fashion an appealing target. Plus, because most retail giants operate their e-commerce storefronts on years-old custom platforms that are likely outdated, they are particularly vulnerable, said Juan Pellerano-Rendón, chief marketing officer at e-commerce software start-up Swap.
ADVERTISEMENT
“A lot of times these larger conglomerates have IT teams, and they’re updating their website regularly, but security might not always be at the top of their list,” Pellerano-Rendón added.
Retailers that operate with thin margins have historically been slower to invest in cybersecurity over tools like a website redesign that can immediately drive revenue, said Sam Rubin, senior vice president of consulting and threat intelligence for Unit 42 at cybersecurity firm Palo Alto Networks.
“You could spend several million dollars on cybersecurity and feel safer and be safer, but what’s going to show up on your P&L is greater operating expenses without a necessarily highly visible tangible benefit,” Rubin said. “Sometimes that does get neglected in favor of driving top line growth in business.”
How should retailers respond?
When a company is hacked, they often have no choice but to shut down services until they can find the culprit and boot them out of their network. Preventing an initial cyberattack can be a near impossible task as cyber criminals’ tools become more advanced and accessible.
Many retailers have increased cybersecurity measures in recent years, specifically around payment processing, Beckner said. Customers’ financial information wasn’t compromised in many of the recent attacks, which is the scariest violation for many customers and therefore a natural priority for companies to prevent. To lower the risk of repeat offenses, retailers have to “assess where there might be existing vulnerabilities in your IT systems and services, and patch and upgrade those where they existed,” Beckner added, including adding multi-step authentications for company log-ins and conducting additional training for employees across the organisation.
The latest run of cybersecurity hiccups could also push major retailers to make big personnel changes such as hiring heads of security (if they don’t have them already), according to Pellerano-Rendón. They might also consider using more e-commerce services from software giants like Shopify that routinely update their software, making it more difficult to infiltrate, he added. Companies can institute drills where they work with third party firms to simulate an attack to better assess the strength of their existing systems and what additional processes they need to implement, said Steve Ross, director of cybersecurity, Americas at S-RM.
In the aftermath of an attack, retailers also must do damage control in order to make sure their customers feel safe buying from them again. Shoppers today are aware that technology violations occur and are outside of a company’s control, “and not necessarily that Victoria’s Secret or Marks & Spencer has betrayed their trust in any way,” Pellerano-Rendón said.
Still, retailers need to tell customers whose personal information may have been compromised exactly which steps they’ve taken to protect their data down the line.
“It really comes down to making sure you’re communicating … and having that plan in place to quickly bounce back,” Beckner said.
Editor's Note: The story was updated on 3 June to correct the date that Victoria's Secret shut down its e-commerce site. It was May 26, not May 28.
