Full Report
Shoppers across the UK are noticing growing gaps in product displays at Co-op stores, with certain items missing and others running low, especially in smaller and remote locations. The disruptions come after a Co-op cyberattack that hit Co-operative Group’s IT systems two weeks ago, causing operational challenges. The retailer, which employs more than 50,000 people and operates over 3,000 outlets nationwide, confirmed that it took “proactive steps” in April to shut down parts of its internal systems after detecting “unauthorised access attempts.” What was initially described as a minor disruption due to Co-op cyberattack has now grown into a serious issue, affecting store stock levels and potentially compromising customer data. Co-op cyberattack: Systems Shut Down to Contain Threat In a statement last month, Co-op said it had “taken proactive steps” to protect its IT infrastructure from Co-op cyberattack. This included shutting down parts of the network to stop the attackers from spreading further through their systems. Now, with food shortages impacting day-to-day shopping, particularly for perishable goods, the company is facing pressure to restore services while also handling the data privacy concerns that followed. Shirine Khoury-Haq, CEO of Co-op, issued a personal message to member-owners this week, acknowledging the disruption caused by the Co-op cyberattack and the impact on Co-op’s operations. "The criminals that are perpetrating these attacks are highly sophisticated and our colleagues are working tirelessly to do three things: (1) protect and defend our Co-op, (2) fully understand the extent of the impact caused by the attack and (3) provide much needed information to the authorities that may help them with their investigations," Khoury-Haq wrote. "Actively managing the severity of the attack has meant shutting down some of our systems to protect the organisation," she added. Empty Stores and Priority Deliveries The shutdown has disrupted Co-op’s supply chain and impacted stock delivery to stores. Supplies of fresh fruit and vegetables, canned goods, and cigarettes have been inconsistent or missing entirely in some locations. Perishable items, particularly animal products such as meat, eggs, and milk, are being prioritized for delivery. The move aligns with strict UK regulations around handling food beyond its sell-by date. The company has implemented a temporary stock and delivery strategy to keep the store running. A Co-op spokesperson told BBC News that the chain has introduced “a temporary contingency stock ordering and delivery process” for such lifeline locations. Customer Data Compromised Adding to the disruption, Co-op also confirmed that some customer data was accessed by the attackers. We have established that the cyber criminals were able to access a limited amount of member data. This is obviously extremely distressing for our colleagues and members, and I am very sorry this happened," Khoury-Haq wrote in her open letter. The company did not disclose exactly what information was compromised, but emphasized that it takes data protection seriously and is cooperating with regulators. Although further technical details remain limited, Co-op says it has directed customers to online resources for more information and is committed to transparency while managing the incident. "I appreciate you will want to know more, and I hope you will understand that in order to protect our Co-op, we are limited as to the detail we can communicate at this time," Khoury-Haq noted. Scale of the Co-op Operation In a financial update released earlier this year (April 3), the Co-op said it was making strategic investments to deal with rising operational costs and was continuing to support members, employees, and communities dealing with cost-of-living pressures. The company also saw a 22% increase in membership, reaching 6.2 million members—well on its way to its 2030 goal of 8 million. However, the Co-op cyberattack now threatens to undercut some of that progress, both in terms of customer trust and day-to-day operations. Not an Isolated Incident Co-op’s cybersecurity incident is part of a concerning trend hitting UK retailers. Just days before the Co-op disclosed its breach, Harrods confirmed it too had been targeted in a cyberattack. The breach made Harrods the third major UK retailer in less than a week to report such an incident. Earlier, Marks & Spencer also revealed a similar cybersecurity disruption, raising concerns about vulnerabilities in the country’s retail sector. While details about the actors behind the Co-op breach remain unknown, investigations are underway with national authorities. What’s Next? Co-op has promised to keep its members and customers updated as more information becomes available. The company's IT and security teams are working closely with law enforcement and third-party cybersecurity experts to assess the extent of the breach and strengthen their defenses. For now, customers are being encouraged to shop with patience as the company works to stabilize supply chain operations and restock empty shelves. Online resources have also been made available to address any concerns related to the incident, especially around data privacy. "Thank you for your continued support," Khoury-Haq concluded in her letter. "Our front-line colleagues are focused on minimising any disruption that might be experienced by our members and customers." With more retailers joining the list of recent victims, cybersecurity is quickly becoming not just an IT concern but a frontline issue for customer service, supply chain resilience, and brand trust. For Co-op, how it navigates the next few weeks will shape public confidence in one of the UK’s most trusted consumer brands.
Analysis Summary
# Incident Report: Co-op Cyberattack Disrupts UK Supply Chain
## Executive Summary
A significant cyberattack targeted the UK's Co-op company, leading to widespread disruptions in the food supply chain and empty shelves in stores. While the specific attack vector and scope of data compromise are under investigation, the incident forced the company to engage law enforcement and third-party experts to contain the threat and stabilize operations. The primary impact was operational, affecting the ability to maintain standard service levels across the UK.
## Incident Details
- Discovery Date: May 15, 2025 (Date of reporting)
- Incident Date: Unknown (Began prior to May 15, 2025)
- Affected Organization: Co-op (The UK retailer)
- Sector: Retail/Grocery
- Geography: United Kingdom (UK)
## Timeline of Events
### Initial Access
- Date/Time: Unknown
- Vector: Not explicitly detailed in the provided context, but implied to be severe enough to impact supply chain systems.
- Details: The incident coincided with other major UK retailers (Marks & Spencer, Harrods) suffering disruptions, suggesting a possible trend or widespread vulnerability in the sector.
### Lateral Movement
- Details: Attackers achieved access that allowed them to disrupt critical supply chain operations, suggesting movement into enterprise resource planning (ERP) or logistics systems. Specific lateral movement techniques are not detailed.
### Data Exfiltration/Impact
- Details: The primary impact was operational disruption ("supply chain disruptions," "restock empty shelves"). The article mentions the CEO addressing members about protecting their data, implying a potential data breach component, though the extent is not specified.
### Detection & Response
- Details: The incident was eventually made public, with the company confirming ongoing work to stabilize supply chain operations. Co-op IT and security teams are working with law enforcement and third-party cybersecurity experts.
## Attack Methodology
The provided text does not detail specific TTPs (e.g., initial access methods, malware used). Based on the outcomes:
- Initial Access: Unknown (Likely phishing, exploitation of an external-facing service, or supply chain compromise given retail sector trends).
- Persistence: Unknown.
- Privilege Escalation: Unknown.
- Defense Evasion: Unknown.
- Credential Access: Unknown.
- Discovery: Unknown.
- Lateral Movement: Movement that affected core supply chain and logistics functions.
- Collection: Possible, given the mention of data protection concerns.
- Exfiltration: Unknown.
- Impact: Major operational disruption affecting logistics and stock management.
## Impact Assessment
- Financial: Not quantified.
- Data Breach: Potential data breach; Co-op CEO stated they are "Fighting to Protect Your Data," indicating data was a concern. Specific volume/type unknown.
- Operational: Severe disruption to the food supply chain across the UK, leading to empty shelves and requiring customer patience.
- Reputational: Risk to public confidence in a major UK consumer brand.
## Indicators of Compromise
- Network indicators: None provided (IPs/Domains defanged required).
- File indicators: None provided.
- Behavioral indicators: Disruption of supply chain and inventory management systems.
## Response Actions
- Containment measures: Undertaken by IT and security teams alongside external experts.
- Eradication steps: In progress as the company works to "stabilize supply chain operations."
- Recovery actions: Focus on restocking shelves and system stabilization.
## Lessons Learned
- The incident highlights that operational technology (OT) and critical supply chain infrastructure are high-value targets for disruption, not just traditional data theft.
- Cybersecurity failures in the retail sector can rapidly cascade into physical consumer impact (supply shock).
- The need for coordinated partnership between corporate security, law enforcement, and third-party experts during a crisis.
## Recommendations
- Conduct a comprehensive review of supply chain IT dependencies and segmentation to minimize the blast radius of future operational disruptions.
- Enhance monitoring specific to logistics, inventory, and distribution control systems.
- Immediately review access controls and patch management across all systems implicated in the retail supply chain process, especially given concurrent incidents at other major retailers.