Last year’s cyber-attack on the Co-op Group is just the tip of the iceberg. Other retailers – including Coop Sweden – have faced problems, and agri co-ops, credit unions and energy co-ops around the world are vulnerable to a criminal practice that cost the world £12tn
last year.
UK businesses face an estimated 21,315 cyber attacks daily – around 7.78 million annually – with a business targeted every 44 seconds. Small businesses alone encounter around 65,000 hack attempts daily, with 4,500 resulting in breaches.
Much of this is low-level, but every week the UK’s National Cyber Security Centre (NCSC) handles four “nationally significant” incidents, which it deems to have “a serious impact on central government, UK essential services, a large proportion of the UK population, or the UK economy”. The 2025 figures marked a 50% increase in highly significant incidents for the third year running.
The NCSC acts as the public-facing arm of GCHQ for cybersecurity, and in its Annual Review 2025, urged businesses to take a more integrated approach. “For too long, cybersecurity has been regarded as an issue predominantly for technical staff,” said CEO Richard Horne. “This must change. All business leaders need to take responsibility for cyber resilience.”
Shirine Khoury-Haq, then-CEO of the Co-op Group, shared an open letter in the report. On 25 April, the Group, M&S and Harrods were the victims of a multi-stage cyber attack, as confirmed by the NCSC and the National Crime Agency (NCA).
Related: Cyberattack knocks out systems at Canada’s Federated Co-op stores
“While you can plan meticulously, invest in the right tools and run countless exercises, nothing truly prepares you for the moment a real cyber event unfolds,” wrote Khoury-Haq. “The intensity, urgency and unpredictability of a live attack is unlike anything you can rehearse.
“Despite our swift and effective action to defend our Co-op from the hackers, some of our members’ data was accessed, such as names, contact details and dates of birth. As a member-owned business, this affected us all deeply.”
The attack has been attributed to two loosely affiliated hacking groups: Scattered Spider (which uses advanced social engineering to breach organisations and deploy ransomware) and DragonForce (which deploys ransomware for cybercrime affiliates for a 20% cut of any ransoms collected). On 10 July, four people were arrested by the NCA on suspicion of blackmail, money laundering, Computer Misuse Act violations, and participating in an organised crime group. Another man, linked to Scattered Spider, pleaded guilty to conspiracy to commit wire fraud and aggravated identity theft in the US after being extradited, with sentencing set for 21 August.
The attack had a financial impact estimated between £270m and £440m. M&S was hardest hit, with its online store closed for nearly seven weeks, while the Co-op Group had to shut down some of its systems, leading to empty shelves in some stores. Other retail co-ops in the FRTS buying group suffered significant operational disruption, impacting their financial results.
On the back of this, cybersecurity was a central theme at the 2026 Co-op Retail Conference, hosted by Co-operatives UK in Glasgow. In attendance was Longwall Security, a tech security company which works with several co-op retailers.
Related: Co-op and mutuals movements adjust to life on the cybercrime frontline
“We were involved in setting up some initial security systems for Central Co-op (now OurCoop) nearly eight years ago, including some of their anti-malware solutions,” says managing director Mat Cornish. “We liked working with them, they liked working with us, and we found the relationship just grew and grew.
“We’ve done more as they have wanted to push the boundaries, and we have pushed them on some of the security elements they should be doing. We are now an embedded part of their team and our team works alongside them every day. We do board sessions with them. We talk around risk and metrics. We work with the analysts, we work with the IT team, with everyone in the organisation. And it’s that partnership aspect that has worked so well.”
Longwall came to the retail conference “to talk more to other co-operatives about what that journey looked like,” he adds. “Cyber support doesn’t have to be a faceless ticketed system.”
Through OurCoop, Longwall has set up the Retail Cooperative Cyber Alliance, with the hope of involving other retail societies.
“Co-ops have a shared brand,” said Longwall’s sales and marketing director James Gibson, “and a lot of that shared brand is out of their control. So we wanted to widen our support to the other co-ops to be able to help them.
“We want them to take a driving seat and take ownership of it. At the moment we’re meeting twice a year, but want to increase that to quarterly, collaborating on strategy, policy, processes around information and what they’ve learned.”
The Alliance is currently invite-only, but Longwall is working to create a formal group, with Cornish warning that organisations aren’t sharing the right information. “Attackers don’t care which co-op they hit,” he says. “They care about disruption. And in the UK, when a co-op is hit, everybody feels it. So it’s about working together, being more open, sharing that intelligence, and coming up with a response that everyone is capable of and happy with.”
While the Competition and Markets Authority (CMA) prohibits businesses from sharing commercially sensitive information, security discussions can be protected if the correct NDAs are in place and the information is only shared to the correct parties.
One example is shared knowledge around suppliers, says Cornish. “It’s about understanding who suppliers are and what their risk is to your business – and if you are assessing them, they are probably a shared supplier with another co-op.”
Every retailer will have hundreds of suppliers with highly connected digital systems, he adds, such as ordering systems, payroll, fridge monitoring and deliveries – and correctly shared information is key to reducing risk.
Culture is a vital part of a cyber security system, says Gibson. “At the beginning, the Central Co-op cyber team weren’t cyber experts at all. They’re embedded in their team and promoted from other IT roles, and we came in and took them under our wing.”
Related: 60 US credit unions suffer outages after ransomware attack
Cornish wants increased policy support for retail cyber security. “The NCSC has published a Cyber Assessment Framework, which is what we assess our clients against today,” he says. “Critical national infrastructure already has mandated scores that they have to achieve.”
Hacking has been around since the 1960s, and today there are two main motives behind it, he adds. “It’s about pushing the boundaries because you can, or it’s financial. A lot of people start with just pushing the boundaries because they’re smart and inquisitive. And one of the most interesting pieces written about this is The Conscience of a Hacker, released in the 1980s [by hacker Loyd Blankenship].
“It basically said, ‘I’m not here to cause damage. I’m here because I want to learn more.’ It was about wanting to see more and about freedom of information. Now there’s a split. There are people who want to test themselves and have access to more information … But then some people are just financially motivated – they hack the data and then sell it.”
As the cyber threat landscape evolves at an alarming rate, so grows the need for skilled cybersecurity professionals. Already valued at £13.2bn, it has been identified by the government as a key frontier industry – but tens of thousands of cybersecurity jobs in the UK remain vacant.
In light of this, and in the wake of the cyber-attack it experienced, the Co-op Group launched a partnership with social impact business Hacking Games to identify young cyber talent and channel it into positive work.
“There is an urgent need to engage Gen Z and inspire them to pursue careers in cybersecurity,” said the Group, “putting their cyber skills to ethical use as hackers for good, rather than being drawn down a more nefarious route that can cause real disruption to victims.”
