Luxury, Breached: How Social Engineering and Access Missteps Cracked Global Retailers

A recent wave of cyberattacks on global retailers, including Adidas, The North Face, Victoria's Secret, Marks & Spencer, Dior, and Cartier, reveals a stark shift in threat tactics. Gone are the days of sophisticated zero-days or ransomware payloads as first vectors. Instead, attackers increasingly exploit outdated third-party integrations, weak access controls, and social engineering – human mistakes and overlooked systems.

According to cybersecurity firm IBM, retail faces the second-highest average cost per data breach at $3.28 million, with social engineering attacks increasing 270% since 2020.

Adidas: The Third-Party Blind Spot

On May 23, Adidas disclosed a breach that exposed sensitive customer data across the U.S. and Europe. The source: a compromised third-party customer service provider with outdated service accounts lacking multi-factor authentication (MFA). The breach impacted millions and exposed contact details, order data, and partial payment information.

Adidas' own systems remained untouched, but the breach illustrates the growing vulnerability of interconnected vendor ecosystems. When vendors lack the cybersecurity maturity of their enterprise clients, they become ideal targets.

For Adidas customers, the breach meant getting an awkward email explaining that their data was compromised through a vendor they'd never heard of. This highlights why it's worth checking your credit card statements regularly – not just for fraudulent charges, but to spot unusual activity patterns.

The North Face: When Recycled Passwords Come Back to Haunt You

Outdoor apparel giant The North Face confirmed that an April 23 breach stemmed from a credential-stuffing attack. Hackers used previously leaked passwords to access user accounts, bypassing protection thanks to the absence of MFA. Compromised data included names, addresses, phone numbers, and order histories.

Despite its $3B revenue and affiliation with VF Corporation, The North Face fell to a textbook attack. It highlights the persistent threat posed by reused credentials and inadequate login protection.

The credential stuffing attack succeeded because customers had reused passwords from other breached sites – something we've all been guilty of at some point.

While credential stuffing exploited individual account weaknesses, other retailers faced systematic attacks on their corporate infrastructure. If you're shopping at multiple retailers, this is exactly why security experts keep harping about unique passwords for each site.

Marks & Spencer and Co-op: Social Engineering at Scale

In April 2025, U.K. retailers Marks & Spencer and Co-op were hit by what the Cyber Monitoring Centre labeled a “Category 2 systemic event,” with financial damages between $363M and $592M. The initial attack vector: social engineering against IT help desks.

The attacker, reportedly the Scattered Spider group (aka UNC3944), impersonated internal IT staff to bypass identity checks and reset access controls. This deep, targeted infiltration bypassed technical barriers by manipulating people.

While you can't control whether a company's help desk falls for fake IT calls, you can control how much damage a breach does to you. Anyone still using the same password across shopping sites learned this lesson the hard way in 2025.

Victoria's Secret: How Admin Accounts Became the Master Key

On May 24, Victoria's Secret detected a security incident that forced it to shut down both corporate systems and its U.S. website. The outage lasted several days, delaying its quarterly earnings report. Analysts point to ransomware or admin privilege abuse in SaaS environments.

Although preliminary results suggest no direct impact on Q1 performance, the breach underlined the cost of failing to properly segment and monitor internal administrative access. 

The incident highlighted how privileged administrative accounts, when compromised, can shut down entire digital operations within hours.

Cartier and Dior: When Luxury Meets Digital Reality

Luxury retailers Cartier and Dior faced breaches tied to vulnerabilities in third-party CRM and support systems. Cartier confirmed exposure of customer names, emails, and country of residence, though no payment data was accessed. The attack surfaced weeks after similar events at U.K. retailers.

Cartier declined to share technical details but urged vigilance, a common refrain when internal visibility is limited or third-party responsibilities are unclear.

The Real Cost: When Security Theater Meets Real Hackers

These breaches share a common theme: attackers exploiting the seams between systems, vendors, and human workflows. In every case, MFA was missing, access was over-permissioned, or social engineering was decisive. As supply chains digitize and SaaS proliferates, security must extend beyond traditional boundaries.

Here's the uncomfortable truth: it doesn't matter if you're shopping at Cartier or a corner store online – a forgotten password reset or an intern who falls for a fake IT call can expose your data just the same. These luxury brands spend millions on pristine storefronts and flawless customer service, yet somehow miss the basics like requiring a second password step.

It's almost ironic – companies that obsess over every detail of a shopping bag design can't be bothered to properly train their help desk. But here's what 2025 has taught us: your reputation can crumble in the time it takes to post a breach notification. All those years building trust? Gone in a tweet.