The Co-op in its interim results reported an ‘estimated adverse revenue impact of £206m relating to lost trade due to the cyber disruption’ beginning in April.
The biggest impact was to its food business, ‘where systems were replaced by manual processes, impacting the availability of stock. There was also a knock-on impact in waste due to stock allocation and our reduced promotional activity, and a tail of recovering customer behaviour’.
On what Chief Executive, Shirine Khoury-Haq described as a significant cyber attack, she said: “I’m very proud of how we reacted: we kept trading, prioritised colleagues and vulnerable communities, and launched a partnership with The Hacking Games to tackle youth disenfranchisement – the root of many cyber threats.”
In more detail, stock wastage was put at £6m in the Co-op’s food business, where it has about 2300 stores; while the cyber attack impact to operating profit in the first half of 2025 was £80m. Management estimate a further £40m impact on the second half of the year as the retailer faces recovery costs and sees volume levels return ‘gradually’. It will take time to fully build back all systems and operations, the Co-op admitted.
Elsewhere in the results the cyber attack was described as ‘sophisticated, multi-stage’. As confirmed elsewhere by the UK official Cyber Security Centre (NCSC), the Co-op worked closely with the NCSC and the National Crime Agency (NCA), ‘who confirmed the nature of the incident’ and supported response. The Co-op described their involvement as ‘crucial, given the growing threat of organised cyber crime’.
Comment
However, many business leaders still don’t recognise these consequences and under invest in defences, leaving their organisation exposed. Security teams are left with minimal resources to protect their organisation, then when something goes wrong, business leaders want to understand why.
“In reality, business leaders must recognise the importance of cyber defences, and the criticality of not taking gambles. After all, in the aftermath of a breach, it is executives who will face customers, shareholders and the wider public, apologising for not having done enough, explaining why protections fell short and taking responsibility for the financial losses.
“Suffering losses of £206m is astronomical, and few organisations would be able to survive from this. Fortunately for an organisation as large as the Co-op, it’s been a heavy blow, but recoverable. This incident must act as a catalyst for organisations to prioritise defences. This is no longer optional. Attackers don’t see any business as optional, if they can find a way in to your network, they will use it, regardless of your size, perceived importance or line of business.”
