Cop-op Group stores have been left with empty shelves after a cyber-attack forced it to shut down its delivery systems, warning: “Some of our stores might not have all of their usual products available”.
It was reported last week that the Group’s ordering system was shut down and warehouse staff sent home following the attack.
The retailer has been dealing with the attack – by ransomware organisation DragonForce – since last week, announcing on Friday that some members’ data has been compromised.
It says, in a list of online FAQs about the incident, that other co-op retail societies have not been affected by the member data breach – as they are separate businesses.
But some supply disruptions are likely at other retail societies in the FRTS network.
Cybercrime is a growing problem for the retail sector, with M&S and Harrods also currently dealing with attacks. Around the world, co-op retailers have fallen prey, including Canada’s Federated Co-ops last summer and Coop Sweden, attacked over Christmas in 2023.
In a message to members, Group CEO Shirine Khoury-Haq said: “The criminals that are perpetrating these attacks are highly sophisticated and our colleagues are working tirelessly to do three things: (1) protect and defend our Co-op, (2) fully understand the extent of the impact caused by the attack and (3) provide much needed information to the authorities that may help them with their investigations.”
The Group has been forced to shut down some of its systems to protect itself from the attack, she added.
“Actively managing the severity of the attack has meant shutting down some of our systems to protect the organisation.”
She added: “The cyber criminals were able to access a limited amount of member data. This is obviously extremely distressing for our colleagues and members, and I am very sorry this happened. We recognise the importance of data protection and take our obligations to you and our regulators seriously, particularly as a member-owned organisation.
“I appreciate you will want to know more, and I hope you will understand that in order to protect our Co-op, we are limited as to the detail we can communicate at this time. I thank you for your patience and I will be back in touch as soon as possible.”
In another post on its website, on 2 May, the Group said called the attack “a highly complex situation” and it had enlisted the help of the National Cyber Security Centre (NCSC, part of GCHQ) and the National Crime Agency (NCA).
“We have implemented measures to ensure that we prevent unauthorised access to our systems whilst minimising disruption for our members, customers, colleagues and partners,” it added.
“As a result of ongoing forensic investigations, we now know that the hackers were able to access and extract data from one of our systems.
“The accessed data included information relating to a significant number of our current and past members.
“This data includes Co-op Group members’ personal data such as names and contact details, and did not include members’ passwords, bank or credit card details, transactions or information relating to any members’ or customers’ products or services with the Co-op Group.
“We appreciate that our members have placed their trust in our Co-op when providing information to us. Protecting the security of our members’ and customers’ data is a priority, and we are very sorry that this situation has arisen.”
In terms of the impact of the attack on the wider retail co-op sector, other societies have stressed that as independent businesses, their membership data is completely separate and therefore unaffected. But there may still be an impact for some stores in terms of stock availability.
In a post on the Midcounties Co-op website, CEO Phil Ponsonby said: “Midcounties is an independent co-op society. We have our own systems, including membership, and our own membership records have not been affected by any of the recent cyber incidents.
“We do however rely on the Co-op Group for the distribution of food products into our food stores and as a result of the protocols they have put in place to secure their systems we are experiencing disruption of goods into our food stores.
“Over the coming days, it’s likely that you’ll see reduced availability of some products in our stores, and we’re sorry for the inconvenience this may cause.
“We are working closely with Co-op Group to minimise disruption, prioritising the essential items you need when you’re shopping with us.”
Pat McFadden, the government minister in charge of cyber security, called the attacks a “wake-up call” for businesses.
He is due to make a speech on the issue urging firms from all sectors to consider what cyber protections they have in place.
“In a world where the cybercriminals targeting us are relentless in their pursuit of profit – with attempts being made every hour of every day – companies must treat cyber security as an absolute priority,” he will say.
“We’ve watched in real-time the disruption these attacks have caused – including to working families going about their everyday lives. It serves as a powerful reminder that just as you would never leave your car or your house unlocked on your way to work. We have to treat our digital shop fronts the same way.”
