Co-op declares cyber attack damage cost £206m

The Co-op has disclosed for the first time the scale of the financial damage it suffered due to April’s cyber attack.

The retail, insurance, legal and funeral care Co-op Group estimates total costs of £206m as a direct consequence of the attack.

In its half-year financial statement, it said: “When Co-op was targeted by a sophisticated cyber attack, we acted quickly and decisively to temporarily shut down a number of systems to contain the threat. This led to operational disruption.”

Debbie White, chair of the Co-op, added: “The first half of 2025 brought significant challenges, most notably from a malicious cyber attack. Our balance sheet strength and the magnificent response of our 53,000 colleagues enabled us to maintain vital services for our members and their communities. We must now build our Co-op back better and stronger to meet the challenges and opportunities that lie ahead.”

In its results, the Co-op said its half-year revenues of £5.5bn were 2.1% lower than for the same period of 2024, but offered the opinion that the figure would have been 1.5% higher had it not been hit by a cyber attack.

As with Jaguar Land Rover, which has seen its production lines fall silent following a cyber attack on 31 August, the Co-op has been reported by the Financial Times not to have had cyber insurance.

The Co-op results statement reveals a 1.6% drop in revenue from its grocery shops, from £5.603m in the first half of 2024 to £5.484m in the same half-year period in 2025. Shelves were empty for weeks in its 2,300 stores as a result of the attack, during which it switched off back-office and communications systems.

The attack, which took place at the end of April, came hard on the heels of a similar attack on Marks and Spencer.

The UK’s Cyber Monitoring Centre (CMC) identified the Scattered Spider hacking group as the source of both attacks, and estimated the economic damage from the attacks to be between £270m and £400m, calculated from public and commercial data sources, including its own modelling, and another figure of around £300m stated by M&S in May during its annual results call.

Based on statistics drawn from transactional data platform Fable Data, the CMC reported daily spend at the Co-op dropped by 11% during the first 30 days of the incident. It also said that because the Co-op is often the only bricks and mortar grocery chain in more isolated and remote parts of the country – for example, in the Highlands and Islands of Scotland – the incident demonstrated the broader social impacts of such cyber attacks.

“The event underscores retail sector vulnerabilities tied to just-in-time stock systems, lack of back-end storage and high dependency on IT-driven order flows. When systems fail, it is challenging to revert to manual processes,” said the CMC.

After initially playing down the significance of the attack, the Co-op admitted the data of all 6.5 million of its member customers had been stolen.

Co-op Group chief executive Shirine Khoury-Haq said, during an appearance on BBC Breakfast over the summer: “I am incredibly sorry. It’s awful to have happened. That’s why we feel like we have to do something positive now.”

At the time, she expressed relief that Scattered Spider had been caught and evicted from the retailer’s systems before the hacking group could deploy ransomware.

Stephen McPartland, author of the McPartland Review into cyber security and former Minister of State for Security, said, to Computer Weekly: “The Co-op's staggering losses show that even a multi-billion pound business lacks the requisite defences to withstand the increasingly sophisticated nature of cyber crime. Sadly, many smaller businesses in the Co-op's supply chain simply do not have the cashflow to survive such shocks.

“Cyber resilience must now be treated as a fundamental part of the UK's economic infrastructure – protecting jobs, communities, and Britain’s competitiveness.
“Boards must embrace cyber awareness, equipping their organisations with the tools and strategies needed to fend off attacks.”