'They yanked their own plug': How Co-op averted an even worse cyber attack
14 May 2025 Share Save Joe Tidy Cyber correspondent, BBC World Service Share Save
EPA
Co-op narrowly averted being locked out of its computer systems during the cyber attack that saw customer data stolen and store shelves left bare, the hackers who claim responsibility have told the BBC. The revelation could help explain why Co-op has started to recover more quickly than fellow retailer M&S, which had its systems more comprehensively compromised, and is still unable to carry out online orders. Hackers who have claimed responsibility for both attacks told the BBC they tried to infect Co-op with malicious software known as ransomware - but failed when the firm discovered the attack in action. Both Co-op and M&S declined to comment.
The gang, using the cyber crime service DragonForce, sent the BBC a long, offensive rant about their attack. In it, they expressed anger that Co-op's IT team made the decision to take computer services offline, preventing the criminals from continuing their hack. "Co-op's network never ever suffered ransomware. They yanked their own plug - tanking sales, burning logistics, and torching shareholder value," the criminals said. Cyber experts like Jen Ellis from the Ransomware Task Force said the response from Co-op was sensible. "Co-op seems to have opted for self-imposed immediate-term disruption as a means of avoiding criminal-imposed, longer-term disruption. It seems to ha
Source: https://www.bbc.com/news/articles/cwy382w9eglo
The Harvard & MIT Cooperative Society cybersecurity rating report: https://www.rankiteo.com/company/harvardmitcoop
"id": "HAR1765116119",
"linkid": "harvardmitcoop",
"type": "Ransomware",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Yes',
'industry': 'Retail',
'location': None,
'name': 'Co-op',
'size': None,
'type': 'Retailer'}],
'data_breach': {'data_encryption': None,
'data_exfiltration': 'Yes',
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': None,
'sensitivity_of_data': None,
'type_of_data_compromised': 'Customer data'},
'date_detected': '2025-05-14',
'date_publicly_disclosed': '2025-05-14',
'description': 'Co-op narrowly averted being locked out of its '
'computer systems during a cyber attack that saw '
'customer data stolen and store shelves left '
'bare. The hackers claimed responsibility and '
'revealed they attempted to deploy ransomware but '
"failed when Co-op's IT team took systems "
'offline.',
'impact': {'brand_reputation_impact': 'Shareholder value '
'affected',
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': 'Customer data stolen',
'downtime': 'Immediate-term disruption due to '
'self-imposed shutdown',
'financial_loss': None,
'identity_theft_risk': None,
'legal_liabilities': None,
'operational_impact': 'Store shelves left bare, '
'logistics disrupted, sales '
'tanked',
'payment_information_risk': None,
'revenue_loss': 'Sales impacted',
'systems_affected': 'Computer systems (partially)'},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'investigation_status': 'Ongoing',
'lessons_learned': 'Self-imposed immediate-term disruption can '
'prevent longer-term criminal-imposed '
'disruption.',
'motivation': 'Financial Gain (Ransom)',
'post_incident_analysis': {'corrective_actions': None,
'root_causes': None},
'ransomware': {'data_encryption': 'Attempted but failed',
'data_exfiltration': 'Yes',
'ransom_demanded': None,
'ransom_paid': 'No',
'ransomware_strain': None},
'references': [{'date_accessed': '2025-05-14',
'source': 'BBC World Service',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': None,
'containment_measures': 'Took computer services '
'offline',
'enhanced_monitoring': None,
'incident_response_plan_activated': 'Yes',
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': None,
'third_party_assistance': None},
'threat_actor': 'DragonForce',
'title': 'Co-op Cyber Attack Averted by Self-Imposed Shutdown',
'type': 'Ransomware Attack (Attempted)'}