The Co-operative (Co-op) suffered a **sophisticated malicious cyberattack** in April 2025, resulting in a **£120 million full-year earnings hit** and a **£206 million sales decline**. The attack disrupted operations, leaving shelves empty and payment systems dysfunctional, while **personal data of all 6.5 million members was stolen** after hackers impersonated employees to gain unauthorized access. Though ransomware was not deployed, the breach forced temporary IT shutdowns, causing a **£75 million pre-tax loss** (down from a £3 million profit the prior year) and a **£32 million operating loss**. Recovery efforts included prioritizing rural stores, supporting franchise partners, and offering customer discounts, but the company continues to face **lingering disruptions in convenience store footfall and back-office operations**. Expansion plans were paused, and leadership restructuring followed. The CEO emphasized the need for **mandatory cyberattack reporting** to combat the UK’s vulnerability to ransomware attacks.
TPRM report: https://www.rankiteo.com/company/the-co-op-group
"id": "the4932749092525",
"linkid": "the-co-op-group",
"type": "Cyber Attack",
"date": "4/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '6.5 million members (data '
'breach) + broader customer base '
'(operational disruption)',
'industry': ['Retail', 'Funeral Services', 'Food'],
'location': 'United Kingdom',
'name': 'The Co-operative Group',
'size': '53,000 employees, 6.5 million members',
'type': ['Retailer', 'Co-operative Society']}],
'attack_vector': ['Phishing/Social Engineering (impersonation of workers)',
'Credential Theft'],
'customer_advisories': ['£10 discount off a £40 shop for members as '
'compensation'],
'data_breach': {'data_exfiltration': 'Yes (copy of internal file created by '
'hackers)',
'number_of_records_exposed': '6.5 million',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (personal identifiable '
'information)',
'type_of_data_compromised': ['Personal data (members)']},
'date_detected': 'April 2025',
'date_publicly_disclosed': 'July 2025',
'description': 'The Co-operative Group suffered a sophisticated malicious '
'cyberattack in April 2025, leading to a £120 million '
'full-year earnings hit, £206 million in lost sales, and the '
'theft of personal data for all 6.5 million members. The '
'attack disrupted operations, caused empty shelves, payment '
'issues, and a £75 million underlying pre-tax loss for H1 '
'2025. Hackers impersonated employees to gain access, stole '
'member data, and created copies of internal files but failed '
'to deploy ransomware. The Co-op responded by shutting down '
'affected systems, prioritizing essential services, and '
'offering customer discounts. Recovery efforts are ongoing, '
'with lingering impacts on customer numbers and back-office '
'operations.',
'impact': {'brand_reputation_impact': ['Negative publicity',
'Loss of customer trust (mitigated by '
'£10 discount offer)'],
'data_compromised': 'Personal data of all 6.5 million members',
'financial_loss': {'half_year_loss': '£80 million (H1 2025)',
'operating_loss': '£32 million (vs. £47 million '
'profit prior year)',
'pre_tax_loss': '£75 million (vs. £3 million '
'profit prior year)',
'sales_impact': '£206 million',
'second_half_estimated': '£40 million (H2 2025)',
'total_estimated': '£120 million (full-year)'},
'identity_theft_risk': 'High (personal data of 6.5 million members '
'stolen)',
'operational_impact': ['Empty shelves',
'Payment processing issues',
'Disrupted supply chain',
'Halting of expansion plans (temporarily)',
'Reduced customer numbers in convenience '
'stores'],
'revenue_loss': '£206 million (sales impact)',
'systems_affected': ['IT systems (partially shut down)',
'Payment systems',
'Inventory management',
'Back-office operations']},
'initial_access_broker': {'entry_point': 'Social engineering (impersonation '
'of workers to trick employees)',
'high_value_targets': ['Member data',
'IT systems controlling '
'payments and inventory']},
'investigation_status': 'Ongoing (as of July 2025, recovery efforts continue)',
'lessons_learned': ['Need for stronger cybersecurity in food business '
'operations',
'Importance of mandatory ransomware reporting (advocated '
'by CEO)',
'Resilience in maintaining essential services during '
'crises',
'Opportunity to reflect and emerge stronger '
'post-incident'],
'motivation': ['Financial Gain', 'Data Theft'],
'post_incident_analysis': {'corrective_actions': ['Leadership overhaul and '
'new commercial/logistics '
'division',
'Resumed expansion with 30 '
'new store openings in H2 '
'2025',
'Advocacy for '
'government-mandated '
'cyberattack reporting'],
'root_causes': ['Successful phishing/social '
'engineering attack',
'Inadequate employee training on '
'impersonation tactics',
'Lack of system segmentation to '
'contain breach']},
'ransomware': {'data_encryption': 'No (attempted but failed)',
'data_exfiltration': 'Yes'},
'recommendations': ['Mandatory reporting of cyberattacks and ransom payments '
"(CEO's call to UK Government)",
'Enhanced employee training on social engineering and '
'phishing',
'Improved segmentation of IT systems to limit lateral '
'movement',
'Accelerated recovery plans for back-office operations',
'Customer retention strategies to rebuild trust'],
'references': [{'source': 'The Independent'},
{'source': 'PA News Agency (interview with CEO Shirine '
'Khoury-Haq)'}],
'response': {'communication_strategy': ['Public disclosure in July 2025',
'Offered £10 discount to members as '
'compensation',
'Media statements by CEO and '
'Chairwoman'],
'containment_measures': ['Shut down affected IT systems',
'Isolated compromised accounts'],
'incident_response_plan_activated': 'Yes (systems temporarily '
'shut down to contain '
'threat)',
'recovery_measures': ['Resumed expansion plans (30 new openings '
'in H2 2025)',
'Overhauled leadership',
'Formed new commercial and logistics '
'division'],
'remediation_measures': ['Prioritized essential services (e.g., '
'funerals, rural stores)',
'Supported independent co-op societies '
'and franchise partners']},
'stakeholder_advisories': ['Prioritized support for independent co-op '
'societies and franchise partners'],
'title': 'Cyberattack on The Co-operative Group',
'type': ['Cyberattack',
'Data Breach',
'Social Engineering',
'Unauthorized Access'],
'vulnerability_exploited': 'Human error (employees tricked into granting '
'access)'}