In 2025, Co-op, a major UK retail chain, fell victim to a high-profile cyberattack that resulted in significant financial and reputational damage. The breach exposed customer data, including email addresses, names, phone numbers, and—critically—passwords in nearly half of the incidents. The attack reportedly cost the company around **£300 million** in recovery efforts, disrupting operations and eroding customer trust. The compromised records heightened risks of identity theft, with criminals potentially exploiting stolen credentials for fraudulent activities like unauthorized loans or credit card applications. The incident underscored the vulnerability of retail sectors, which accounted for **25% of all breaches** in 2025, with small and mid-sized businesses being prime targets. Co-op’s breach aligns with broader trends where attackers prioritize personally identifiable information (PII), with **100% of exposures** involving email addresses and **34% including sensitive data** like health or government records. The financial strain and operational disruptions positioned this as a severe threat to the organization’s stability, particularly given the scale of data compromised and the direct impact on customers.
TPRM report: https://www.rankiteo.com/company/the-co-op-group
"id": "the4993049103025",
"linkid": "the-co-op-group",
"type": "Cyber Attack",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Retail/Wholesale',
'location': 'United Kingdom',
'name': 'Coop (UK Retailer)',
'size': 'Large (exact size unspecified)',
'type': 'Retail'},
{'industry': 'Retail/Wholesale',
'location': 'United Kingdom',
'name': 'Marks & Spencer (M&S)',
'size': 'Large (exact size unspecified)',
'type': 'Retail'},
{'industry': 'Multiple (Retail most common)',
'location': 'Global',
'name': 'Small Businesses (10-49 employees)',
'size': '10-49 employees',
'type': 'SME'},
{'industry': 'Multiple (Retail most common)',
'location': 'Global',
'name': 'Small Businesses (50-249 employees)',
'size': '50-249 employees',
'type': 'SME'},
{'industry': 'Multiple',
'location': 'Global',
'name': 'Micro Businesses (<10 employees)',
'size': '<10 employees',
'type': 'Micro Enterprise'}],
'customer_advisories': 'Monitor bank statements/accounts for fraud; use '
'breach notification tools.',
'data_breach': {'data_exfiltration': 'Yes (dark web sales implied)',
'number_of_records_exposed': '300+ million (verified '
'breaches); hundreds of billions '
'(including compilations)',
'personally_identifiable_information': 'Yes (dominant in all '
'breaches)',
'sensitivity_of_data': ['Low (emails/names)',
'Medium (phone numbers)',
'High (passwords/health/gov records)'],
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Email addresses (100% of '
'breaches)',
'Names (90%)',
'Phone numbers (72%)',
'Passwords (49%)',
'Health records (34%)',
'Government records (34%)']},
'date_publicly_disclosed': '2025',
'description': "New research from Proton's Data Breach Observatory reveals "
'that 71% of data breaches in 2025 have affected firms with '
'under 250 employees, with retail being the most targeted '
'industry. Over 300 million individual records have been '
'exposed across nearly 800 verified breaches, with email '
'addresses (100%), names (90%), and contact info (72%) being '
'the most commonly compromised PII. High-profile UK retailer '
'attacks (e.g., Coop, M&S) incurred recovery costs of ~£300m. '
'The primary risk is identity theft, with criminals using '
'exposed data for fraudulent loans/credit cards.',
'impact': {'brand_reputation_impact': 'High (especially for UK retailers)',
'data_compromised': '300+ million individual records (800 verified '
'breaches); hundreds of billions including '
'compilations',
'financial_loss': '£300 million (estimated for UK retailers like '
'Coop and M&S)',
'identity_theft_risk': 'High (primary danger; used for fraudulent '
'loans/credit cards)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (implied by Proton '
"Observatory's dark web "
'monitoring)',
'high_value_targets': 'Retail/wholesale traders; '
'small businesses'},
'investigation_status': 'Ongoing (Proton Observatory actively monitoring dark '
'web)',
'lessons_learned': 'Small businesses (under 250 employees) are '
'disproportionately targeted despite limited resources to '
'recover. Retail is the highest-risk industry. Basic PII '
'(emails/names) is ubiquitous in breaches, but sensitive '
'data (passwords/health records) poses severe identity '
'theft risks. Continuous monitoring of accounts and breach '
'notification tools (e.g., Have I Been Pwned) are critical '
'for mitigation.',
'motivation': ['Financial Gain', 'Data Theft'],
'post_incident_analysis': {'root_causes': ['Targeting of under-resourced '
'small businesses',
'High-value PII collection by '
'retailers',
'Lack of proportional '
'cybersecurity investments in '
'SMEs']},
'recommendations': ['Small businesses should prioritize cybersecurity hygiene '
'(e.g., password managers, MFA).',
'Retailers must invest in threat detection and dark web '
'monitoring.',
'Consumers should use tools like Have I Been Pwned to '
'check exposure and monitor financial accounts.',
'Proactive communication strategies for breach disclosure '
'to maintain trust.'],
'references': [{'date_accessed': '2025',
'source': 'Proton Data Breach Observatory'},
{'date_accessed': '2025', 'source': 'TechRadar Pro'},
{'source': 'Have I Been Pwned',
'url': 'https://haveibeenpwned.com'}],
'response': {'communication_strategy': 'Public disclosure via Proton Data '
'Breach Observatory; advisory to '
'monitor accounts/bank statements'},
'stakeholder_advisories': 'Vigilance advised for all stakeholders; retailers '
'urged to assess third-party risks.',
'title': 'Proton Data Breach Observatory Findings: 71% of 2025 Breaches '
'Target Small Businesses',
'type': ['Data Breach', 'Cyberattack']}