In today’s bulletin, Charlie revisits the recent Co-op cyber attack and provides a useful timeline of events to highlight the progress of the incident.
This week, I thought I would go back to cyber, as for the last two weeks I have been delivering my cyber course – firstly as a public course, and secondly as a private course for a government organisation. Both weeks, the news has been buzzing with reports of the M&S and the Co-op hack. I recently became a Co-op member after having used the store local to my home for the last 22 years, and I received three emails from the CEO saying my data had been compromised. I thought I could look at Co-op as a case study and share what I learned with you. My research was all from newspaper articles, so I may not be 100% right, but I think it will give you a flavour of events. I did quite a lot of work putting together a timeline of events, so I thought it would be interesting to approach this case study from a chronological timeline point of view.
Timeline of Events (2025)
22nd April – This is the date BleepingComputer reported as the day of the hack and they claim this date was supplied to them from ‘sources’. I have seen no other article which mentions this date, so I am not sure how valid it is. It does fit with the pattern of attackers being inside the organisation’s IT for some time, seeking out and exfiltrating data, before they break cover and send a ransom note, are discovered, or encrypt files and then send a ransom note.
26th–27th April (weekend) – Attempts were made to get into Co-op’s systems.
30th April – ITV News broke the story that there had been a cyber attack on Co-op. Cyber is very much in the news with the M&S attack and the impact it was having on their delivery of services and their click and collect being unavailable. In the ITV News piece, there is a leaked email from Rob Elsey, Co-op’s Digital and Information Officer, giving staff an update on the incident and asking that they bear with the company as they would experience difficulties with IT.
In responding to a cyber incident, we have to work on the possibility that any internal email or update on an incident could be shared with journalists, and so we have to view all internal communications with the same scrutiny as if they were going external. When the Post Office International Parcels were hacked in January 2023, the ransomware note was leaked to a journalist within 5 minutes of it being sent to the company.
Other news outlets picked up on the story and Computer Weekly said Co-op had to pull the plug on some of their IT systems to contain the incident. In subsequent articles, it seems that the plug was pulled on their stock management systems and that taking it offline caused the issues of having shops with little or no stock. Taking it offline contains the issue, but until the attackers can be eradicated from the system, then you can’t put the system back online. This has taken some time, as the stock in shops is only now coming back to full stocking, and there are no longer gaps on the shelves.
1st May – Broken by Computer Weekly – staff had been told to stop using the VPN, that they can come into the office and work, and that they should be wary that their communication channels may be monitored. I am not sure whether this was a precaution suggested by those helping them respond, or whether it was a real threat, but I think it is a good point that until you can confirm that an attacker has not breached the organisation’s communications, as a precaution, staff should be wary that their communications are not being monitored. Remember, if the attackers have access to your system, they could set themselves up as new users on your system and then, in terms of communications, they appear to be genuine company staff.
2nd May – Due to communications between the hackers and the BBC, Co-op was forced to admit that a substantial amount of data had been lost, with the attackers claiming they had the data of 20 million people. This is part of the methodology of ransomware: they try and put pressure on the organisation by informing others of a data breach both inside and outside the company to try and pressure the organisation into paying. This is the first I am aware of hackers having a direct conversation with the BBC to break what data has been lost.
I haven’t seen the initial press releases from the Co-op as they aren’t on their website anymore, but they appear not to say they had lost data, so they have not fallen into the classic trap of Arnold Clark and Capita, saying there appears to be no loss of data, only for the newspapers to break the story 2 weeks or so later and break the news that there is lots of the organisation’s data on the dark web. They appear not to mention loss of data and so their press release to date is not contradicted.
6th May (and subsequently on the 15th and 30th May) – I received an email addressed to me giving an update on the progress. I have written a review of the email in a previous bulletin. I think, in terms of timing, it is quite impressive to get communications out this quickly. I suspect it helped that the Co-op is a membership organisation, so it has a list of its members, which is easy to access and regularly used for marketing purposes. I think communicating with those affected early on is good practice.
We also see articles about the impact of the attack on loss of stock to their Co-op stores. The BBC ran articles with pictures of empty shelves in Skye, Kyle of Lochalsh, and Islay. I think this made the attack more real and shows to people that a cyber attack has real impact on people’s lives. Having the attack on M&S and Harrods at the same time multiplies this effect. I have seen nothing on the Harrods attack, but I don’t shop there or hold a loyalty card!
14th May – The Co-op put out a press release on progress of the incident saying that they ‘pulled the plug’ on some of their systems as a precaution. This is then picked up by the BBC as a headline to an article, even though it had already been broken on the 30th April. It proves the point that if you put out information in a press statement, journalists will read it and then make it part of their story. I encourage those dealing with crisis communications in a cyber incident to put out information they are happy to share – especially good news stories – on their websites, as journalists will pick this up and use it in their articles.
22nd May – The Independent wrote an article saying that the Co-op were still facing shortages, with the shop saying that they were receiving a third less stock than they normally would. This could be that the rebuilding of the stock system is taking time, but also if you run a just-in-time logistics system, it can take some time to get back to full shop stocking, as there is limited capacity to take the extra stock to fill empty shelves. This has to be structured into our response and is part of the long tail of recovery after a cyber incident.
The Co-op seems to be getting back to full recovery and when I was in our local Co-op, there were still some gaps, but you had to look closely to see them – and this was an organisation which took down its own systems and didn’t actually have a ransomware attack. The M&S attack, they have already said, will cost approximately £300m and take the organisation months to recover. We can see the devastating impact of a cyber attack. Cyber attacks become a lot more real for the public when it has a tangible effect on them – when they see empty shelves or they can’t order items online.
