The Co-operative Group has revealed the cyberattack that knocked its systems offline earlier this year will leave it nursing an £80 million hangover.
The registered society – owned by members not shareholders – includes a food retail biz and provides legal, funeral and insurance services.
Today it said the breach, which struck in April and forced it to shut parts of its IT systems, has so far cost it £206 million in lost revenue, with Co-op taking an £80 million profit hit in the first half of 2025.
As a result, Co-op slumped to an underlying operating loss of £32 million, a sharp swing from the £47 million profit it notched up a year ago.
The losses, reported on Thursday, include a £20 million one-off payment that Co-op has yet to explain. The company has yet to respond to The Register’s request for comment.
If Co-op did pay a ransom to criminals, it didn’t do much good. Co-op confirmed in July that attackers had stolen the personal details of all 6.5 million of its members, including names and contact information, although the company said no payment card or transaction data was compromised.
Co-op insists its defences stopped the attackers before they could unleash full-blown ransomware across its production systems, sparing it from an even bigger shakedown. That didn’t stop the chaos: supply chains jammed, some shelves went bare, and back-office operations seized up.
The retailer was forced to offer members discounts – £10 off a £40 shop – to lure them back after weeks of disruption. The breach has triggered investigations by regulators, with the Information Commissioner’s Office expected to probe how so much personal data was exposed.
Chief executive Shirine Khoury-Haq tried to put a brave face on the mess, insisting the group’s structure gave it the means to weather the storm.
“When we experienced a significant cyber attack, that financial strength allowed us to respond as a member-owned organization,” she said. “I’m very proud of how we reacted: we kept trading, prioritized colleagues and vulnerable communities, and launched a partnership with The Hacking Games to tackle youth disenfranchisement – the root of many cyber threats.”
Law enforcement has moved unusually quickly in the wake of the Co-op attack. The UK’s National Crime Agency arrested four suspects, three Brits and one Latvian, accused of involvement in a spree of attacks against Co-op, Marks & Spencer and Harrods.
The group is believed to be associated with Scattered Spider, a loose-knit crew of mostly UK and US hackers blamed for a string of high-profile breaches. Reports suggest the attackers used social engineering tricks to dupe help desk staff into resetting credentials, thereby gaining entry into corporate networks.
Co-op reckons the worst of the hack is behind it, saying it expects to see a “reducing level of cyber impact” in the second half of the year. Still, management cautioned that cost pressures, volatile markets and stiff competition will keep the squeeze on, even as it tries to convince members and markets that the breach is finally under control. ®