Co-op suffered a severe cyber attack in April, resulting in a £206m revenue loss and an expected full-year revenue drop of £300m, with profits reduced by £120m. The attack disrupted IT systems, causing empty shelves, halted food deliveries, and forced operational restrictions. Criminals impersonated staff to install malware, triggering 4,000 ransomware attempts per minute before defenses blocked further spread. While tills remained operational, the breach compromised the personal data (names, addresses, contact details) of all 6.5 million members—one of the UK’s largest retail data breaches. The incident also led to leadership changes, including the departure of the managing director of the food business, amid declining market share (5.2%, a record low). Recovery efforts continue as systems are gradually restored, with the company vowing to rebuild stronger cyber defenses.
Source: https://finance.yahoo.com/news/co-op-unveils-206m-hit-072614041.html
TPRM report: https://www.rankiteo.com/company/the-co-op-group
"id": "the5632356092525",
"linkid": "the-co-op-group",
"type": "Cyber Attack",
"date": "4/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '6.5 million (members)',
'industry': ['Retail',
'Food & Beverage',
'Funeral Services',
'Legal',
'Insurance'],
'location': 'United Kingdom',
'name': 'Co-op Group',
'size': 'Large (2,300+ grocery stores, multiple '
'business units)',
'type': ['Retailer',
'Grocery Chain',
'Funeral Care',
'Legal Services',
'Insurance']}],
'attack_vector': ['Social Engineering (Impersonation)',
'Malware Installation'],
'customer_advisories': ['CEO Apology for Data Breach',
'Assurance No Financial Data Stolen'],
'data_breach': {'data_exfiltration': 'Yes (Names, Addresses, Contact Info)',
'number_of_records_exposed': '6.5 million',
'personally_identifiable_information': ['Names',
'Addresses',
'Contact Details'],
'sensitivity_of_data': 'Moderate (No Financial Data; PII '
'Only)',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)']},
'date_detected': '2023-04',
'date_publicly_disclosed': '2023-07',
'description': 'Co-op suffered a crippling cyber attack in April 2023, '
'leading to an IT shutdown that disrupted food deliveries, '
'emptied shelves, and resulted in the theft of 6.5 million '
"members' personal data. The attack caused a £206m revenue hit "
'in the first half of the year, with full-year losses '
'projected at £300m. The company attributed the breach to '
"'very persistent and very capable' criminals who impersonated "
'staff to install malware, though ransomware deployment was '
'blocked by defenses. No financial or transaction data was '
'stolen, but names, addresses, and contact details were '
'compromised.',
'impact': {'brand_reputation_impact': ['Public Apology by CEO',
'Loss of Customer Trust',
'Leadership Changes (MD Resignation)'],
'data_compromised': {'data_types': ['Names',
'Addresses',
'Contact Information'],
'records_exposed': "6.5 million (members' "
'data)'},
'downtime': {'duration': 'Prolonged (systems gradually restored; '
'full recovery timeline unclear)',
'operational_disruption': ['Halted Food Deliveries',
'Empty Shelves',
'Restricted Sales']},
'financial_loss': {'full_year_projected_profit_reduction': '£120m',
'full_year_projected_revenue_loss': '£300m',
'half_year_net_loss': '£50m (vs. £58m profit '
'prior year)',
'initial_half_year': '£206m (revenue hit)',
'profit_reduction_half_year': '£80m'},
'identity_theft_risk': 'High (Personal Data Stolen)',
'operational_impact': ['Supply Chain Disruption',
'Store Operations Limited (Tills Remained '
'Open)',
'Market Share Decline to 5.2% (record low)'],
'payment_information_risk': 'None (No Financial/Transaction Data '
'Compromised)',
'revenue_loss': '£300m (full-year projection)',
'systems_affected': ['IT Systems (Shutdown)',
'Food Delivery Systems',
'Member Database']},
'initial_access_broker': {'entry_point': 'Staff Impersonation',
'high_value_targets': ['Member Database',
'IT Systems']},
'investigation_status': 'Ongoing (Root Cause Attributed to Staff '
'Impersonation)',
'lessons_learned': ['Need for Strengthened Cyber Defenses Against Social '
'Engineering',
'Importance of Rapid Containment to Limit Operational '
'Disruption',
'Criticality of Member Data Protection',
'Resilience in Supply Chain and IT Systems'],
'motivation': ['Financial Gain', 'Data Theft'],
'post_incident_analysis': {'corrective_actions': ['System Restrictions to '
'Limit Attack Spread',
'Leadership Review (MD '
'Resignation)',
'Focus on Food Business '
'Resilience'],
'root_causes': ['Successful Staff Impersonation by '
'Attackers',
'Inadequate Safeguards Against '
'Social Engineering',
'Rapid Propagation of Malware '
'Within Systems']},
'ransomware': {'data_encryption': 'Attempted (Blocked by Defenses)',
'data_exfiltration': 'Yes (PII Stolen Prior to Ransomware '
'Attempt)'},
'recommendations': ['Enhance Staff Training on Impersonation Attacks',
'Implement Multi-Factor Authentication (MFA) for Critical '
'Systems',
'Conduct Third-Party Security Audits',
'Develop Redundant IT Infrastructure to Mitigate Downtime',
'Improve Incident Communication Protocols'],
'references': [{'source': 'The Telegraph'},
{'source': 'Co-op Group Financial Results (2023)'}],
'response': {'communication_strategy': ['Public Disclosure (July 2023)',
'CEO Apology',
'Transparency in Financial Reports'],
'containment_measures': ['System Restrictions',
'Blocked 4,000 Ransomware Attempts per '
'Minute'],
'incident_response_plan_activated': 'Yes (Restrictions Placed on '
'Systems)',
'recovery_measures': ['Phased Reboot of IT Systems',
'Operational Adjustments in Food Business'],
'remediation_measures': ['Gradual System Restoration',
'Leadership Review']},
'stakeholder_advisories': ['Public Statements by CEO and Chairman',
'Financial Disclosures to Investors'],
'threat_actor': "Unknown (Described as 'very persistent and very capable' "
'criminals)',
'title': 'Co-op Cyber Attack and Data Breach (2023)',
'type': ['Cyber Attack',
'Data Breach',
'Malware Infection',
'Attempted Ransomware'],
'vulnerability_exploited': 'Human Error (Staff Impersonation)'}