The Co-operative Group suffered a severe cyberattack in April, forcing parts of its IT systems offline. The breach resulted in a £206 million loss in revenue and an £80 million hit to profits in the first half of 2025, pushing the company into an underlying operating loss of £32 million (down from a £47 million profit the prior year). Attackers stole personal data of all 6.5 million members, including names and contact details, though no payment card or transaction data was compromised. The attack disrupted supply chains, left shelves empty, and paralyzed back-office operations, requiring discounts (£10 off £40) to retain customers. Regulatory investigations (e.g., by the Information Commissioner’s Office) were triggered, and four suspects (linked to Scattered Spider) were arrested. The attack involved social engineering to exploit help desk credentials, but Co-op claimed it prevented full ransomware deployment. Recovery efforts continue, with expectations of reduced cyber impact in late 2025.
Source: https://www.theregister.com/2025/09/25/empty_shelves_empty_coffers_coop/
TPRM report: https://www.rankiteo.com/company/the-co-operative-food
"id": "the5832558092525",
"linkid": "the-co-operative-food",
"type": "Breach",
"date": "4/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '6.5 million members',
'industry': ['Retail (Food)',
'Legal Services',
'Funeral Services',
'Insurance'],
'location': 'United Kingdom',
'name': 'The Co-operative Group',
'type': ['Registered Society',
'Member-owned Organization']}],
'attack_vector': ['Social Engineering',
'Credential Theft via Help Desk Exploitation'],
'customer_advisories': ['£10 off £40 shop discount for members'],
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '6.5 million',
'personally_identifiable_information': 'Yes (names, contact '
'details)',
'sensitivity_of_data': 'Moderate (names, contact information; '
'no financial data)',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)']},
'date_detected': '2025-04',
'date_publicly_disclosed': '2025-07',
'description': 'The Co-operative Group suffered a cyberattack in April 2025 '
'that disrupted its IT systems, leading to significant '
'financial losses, operational chaos, and the theft of '
'personal data belonging to 6.5 million members. The attack, '
'linked to the Scattered Spider group, exploited social '
'engineering to gain access. While ransomware deployment was '
'partially thwarted, the incident resulted in £206 million in '
'lost revenue and an £80 million profit hit. Four suspects '
'were arrested in connection with the attack.',
'impact': {'brand_reputation_impact': 'Significant (regulatory '
'investigations, member distrust)',
'data_compromised': 'Personal details of 6.5 million members '
'(names, contact information)',
'downtime': 'Weeks (partial disruption ongoing)',
'financial_loss': '£206 million (lost revenue)',
'identity_theft_risk': 'High (personal details of 6.5 million '
'members exposed)',
'legal_liabilities': 'Potential (ICO investigation pending)',
'operational_impact': ['Supply chain disruptions',
'Empty shelves',
'Back-office operations halted',
'Member discounts offered (£10 off £40 '
'shop)'],
'payment_information_risk': 'None (no payment card or transaction '
'data compromised)',
'revenue_loss': '£206 million',
'systems_affected': ['IT systems (partial shutdown)',
'Supply chain systems',
'Back-office operations',
'Retail systems (shelves emptied)']},
'initial_access_broker': {'entry_point': 'Help desk credential reset via '
'social engineering',
'high_value_targets': ['Member database (6.5 '
'million records)']},
'investigation_status': 'Ongoing (ICO probe, law enforcement arrests made)',
'motivation': ['Financial Gain', 'Data Theft'],
'post_incident_analysis': {'root_causes': ['Social engineering exploit (help '
'desk)',
'Inadequate credential '
'verification processes']},
'ransomware': {'data_encryption': 'Attempted (partially thwarted)',
'data_exfiltration': 'Yes (6.5 million records)',
'ransom_paid': 'Unconfirmed (£20 million one-off payment '
'suspected but unexplained)'},
'references': [{'source': 'The Register'}],
'regulatory_compliance': {'legal_actions': ['ICO investigation ongoing'],
'regulations_violated': ['Potential GDPR violations '
'(under ICO '
'investigation)'],
'regulatory_notifications': ['Information '
"Commissioner's Office "
'(ICO)']},
'response': {'communication_strategy': ['Public disclosure in July 2025',
'CEO statements on financial '
'resilience'],
'containment_measures': ['Prevented full ransomware deployment',
'Kept trading despite disruptions'],
'incident_response_plan_activated': 'Yes (partial containment of '
'ransomware)',
'law_enforcement_notified': 'Yes (UK National Crime Agency)',
'recovery_measures': ['Member discounts to regain trust',
'Partnership with The Hacking Games for '
'cyber threat awareness']},
'threat_actor': ['Scattered Spider (alleged)',
'Loose-knit group of UK/US hackers'],
'title': 'Cyberattack on The Co-operative Group',
'type': ['Cyberattack',
'Data Breach',
'Social Engineering',
'Ransomware (attempted)'],
'vulnerability_exploited': 'Human error (help desk staff tricked into '
'resetting credentials)'}