US-based Lingerie retailer Victoria's Secret has taken down its website and suspended some store services after identifying what the company describes as a "security incident" that has disrupted operations for several days.

The retailer confirmed it had "identified and are taking steps to address a security incident" and had "immediately enacted our response protocols, third-party experts are engaged, and we took down our website and some in-store services as a precaution."

The disruption began affecting operations from 26 May, with some employees reportedly locked out of email accounts as passwords stopped working. The company has halted customer care operations and some distribution centre operations whilst addressing the breach.

"Recovery is going to take awhile," said Hillary Super, the lingerie retailer's chief executive officer, in an internal note to employees. The company's more than 800 physical stores remain open and operating normally, suggesting the incident primarily affects digital systems.

Victoria's Secret shares fell 6.9 per cent on Wednesday in New York as investors reacted to news of the outage. The retailer's online operations generated just over $2 billion (£1.6 billion) last year, accounting for approximately one-third of total revenue.

The company operates roughly 1,350 retail stores across 70 countries and declined to provide details about the nature of the incident, its timeline, or whether law enforcement has been contacted. Victoria's Secret also did not respond to questions about potential ransomware involvement.

The timing of the attack follows the recent US Memorial Day holiday, a period when cyber criminals often target organisations due to reduced IT staffing levels. The incident comes as the retailer faces additional pressures, including a recent poison pill strategy adoption following increased investment from BBRC International Pte Limited.

Victoria's Secret joins a growing list of retailers facing cyber security challenges in recent weeks. Marks & Spencer reported a £300 million hit to operating profit from a cyber attack that disrupted sales and operations, with hackers breaching systems through human error at a third party.

Other affected UK retailers include luxury department store Harrods, which disclosed attempted system compromises, and supermarket chain Co-op, where intruders accessed and extracted customer data during a recent attack. A hacking group known as DragonForce has claimed responsibility for several UK retail attacks, though these allegations could not be independently verified.

Earlier this month, Google's Mandiant security division warned that threat groups, including Scattered Spider, were targeting US retailers after achieving success against UK chains. The wave of attacks highlights the ongoing vulnerability of retail operations to cyber criminals seeking to exploit digital infrastructure.

Victoria's Secret stated its team is "working around the clock to fully restore operations" but has not provided a timeline for when normal service will resume. The company's UK website appears unaffected by the security measures.

---