Co-op Group appear to be trying to course correct with their cyber incident comms.
They’re calling it a cyber incident now, and have put a statement on the front page of their website, along with an FAQ. They haven’t yet emailed members (they should). Edit: they’ve started emailing members.
People are also taking to social media to post pictures of apparently emptying store shelves.
The Co-op website claims it is down to "technical issues".
Co-op Group are redirecting supplies from their urban stores to remote and island locations due to stock shortages.
The article mentions their EDI platform is suffering “technical issues”. https://www.retailgazette.co.uk/blog/2025/05/co-op-reroutes-stock/
I just did a Shodan Safari on Co-op - basically all their Windows and Linux systems in their core DCs at network boundary are down, it's not just EDI. It's been like that for just under a week, prior to that things were still online.
I feel really bad for them as it's a great org. Also their CEO is basically the only one who stood up like this for trans people.
https://www.telegraph.co.uk/business/2025/05/04/ill-protect-trans-people-to-the-end-vows-co-op-boss/
If you're wondering about Marks and Spencer - I just did a Shodan Safari of their network boundary, Palo-Alto GlobalProtect VPN remote access access is still offline, 15 days later.
Online orders are still not working, and the store stock checker is disabled now.
The Grocer reports 4 regional Co-ops, who aren’t part of Co-op Group, are suffering stock shortages as they are supplied by Co-op Group.
They expect customers to start to see availability issues on shelves in the coming days.
For orgs looking for defence tips for the attacks on UK retailers, this blog from 2022 about the UK teenagers in LAPSUS$ has relevance.
As a plot twist - not documented anywhere online, but LAPSUS$ first attacks in 2021 were against UK high street retailers.
The activity we have observed has been attributed to a threat group that Microsoft tracks as DEV-0537, also known as LAPSUS$. DEV-0537 is known for using a pure extortion and destruction model without deploying ransomware payloads.
Co-op Group have provided some more detail about what it’s doing about remote lifeline stores (ones where they’re the main/only retailer on an island):
“From Monday, 12 of the most remote lifeline stores will receive treble the volume of available product, and another 20 lifeline stores will get double the volume.” https://www.bbc.com/news/articles/c071e7x80djo
This ITV News report linking the Co-op and M&S breaches to SIM swapping is not accurate, no source given. https://www.itv.com/news/2025-05-12/sim-swap-fraud-rises-by-1000-as-criminals-exploit-two-factor-authentication
They also have a report today saying Co-op stores are restocked, which is also not accurate - that one is sourced from Co-op, but obviously doesn’t stack up to looking in Co-op stores.
If anybody is wondering, all of Marks and Spencer's Palo-Alto GlobalProtect VPN boxes are still offline, 3 weeks later. Pretty good containment method to keep attackers out.
Co-op's VDE environment is still down, too.
https://cyberplace.social/@GossiTheDog/114399017367179104
Co-op's AGM is this weekend, and M&S yearly results and investor contact are next week.
Gonna be awkward for different reasons, e.g. Co-op is member (customer) owned, so the people's data Co-op had stolen are effectively the shareholders and are invited.
The Grocer reports Nisa and Costcutter are running out of fruit & veg, fresh meat and poultry, dairy products, chilled ready meals, snacks and desserts.
Nisa and Costcutter are supplied by Co-op Wholesale, which is dependent on Co-op Group.
“It’s really poor. I feel bad for them but what makes it worse is their hush-hush mentality about it. There’s no proper level of communication and we get random updates.”
Co-op Wholesale claim there are no problems. https://www.thegrocer.co.uk/news/nisa-and-costcutter-hit-by-stock-shortages-amid-co-op-cyberattack/704393.article
Co-op Group have told their suppliers that "systemic-based orders will resume for ambient, fresh, and frozen products commencing Wednesday 14 May". They say forecasting system will still be impacted.
https://www.thegrocer.co.uk/news/co-op-to-get-systems-back-on-track-after-cyberattack/704425.article
Co-op Group say they have exited containment and begun recovery phase https://www.theguardian.com/business/2025/may/14/co-op-cyber-attack-stock-availability-in-stores-will-not-improve-until-weekend
Marks and Spencer are still in containment
If you want figures for your board to set expectations in big game ransomware incidents, Co-op containment just over 2 weeks, M&S just over 3 weeks so far - recovery comes after.
In terms of external assistance, Co-op have Microsoft Incident Response (DART), KPMG and crisis comms. M&S have CrowdStrike, Microsoft, Fenix and crisis comms.
The threat actor at Co-op says Co-op shut systems down, which appears to have really pissed off the threat actor. This was the right, and smart, thing to do.
While I was at Co-op we did a rehearsal of ransomware deployment on point of sale devices with the retail team, and the outcome was a business ending event due to the inability to take payments for a prolonged period of time. So early intervention with containment was the right thing to do, 100%.
M&S have finally told staff that data about themselves was stolen: https://www.telegraph.co.uk/business/2025/05/16/ms-staff-data-stolen-by-hackers-in-cyber-attack/
You may notice I said they had staff data stolen on May 9th in this thread.
For the record, the tools listed in this article aren't used by Co-op.
The link in the article to Vectra Cognito AI has a Coop Sweden logo on it, and the Coop Sweden CISO is named. Coop Sweden is different company. Coop Sweden went on to have a ransomware attack that crippled the org, including point of sale, so I don't think it's a good sales point. Same with Silverfort.
Google AI has ingested the article and now uses it to claim Co-op Group use the tools.
The Times reports M&S were breached through a contractor and that human error is to blame. (Both M&S and Co-op use TCS for their IT Service Desk).
The threat actor went undetected for 52 hours. (I suspect detection was when their ESXi cluster got encrypted).
M&S have told the Times they had no “direct” communication with DragonForce, which is code for they’re using a third party to negotiate - standard practice.
https://www.thetimes.com/uk/technology-uk/article/m-and-s-boss-cyber-attack-7d9hvk6ds
M&S looks to be moving to reposition their incident as a third party failure, which I imagine will help redirect some of the blame (they present their financial results during the week to investors): https://www.bbc.co.uk/news/articles/cpqe213vw3po
Both M&S and Co-op outsourced their IT, including their Service Desk (helpdesk), to TCS (Tata) around 2018, as part of cost savings.
There's nothing to suggest TCS itself have a breach btw.
Basically, if you go for the lowest cost helpdesk - you might want to follow the NCSC advice on authenticating password and MFA token resets.
I've put a 3 part deep dive blog series coming out probably next week called Living-Off-The-Company, which is about how teenagers have realised large orgs have outsourced to MSPs who follow the same format of SOP documentation, use of cloud services etc. Orgs have introduced commonality to surf.
"Cyber analysts and retail executives said the company had been the victim of a ransomware attack, had refused to pay - following government advice - and was working to reinstall all of its computer systems."
Not sure who those analysts are, but since DragonForce haven't released any data and M&S won't comment other than to say they haven't had any "direct" contact with DragonForce, I wouldn't make that assumption.
There's also a line in the article from an cyber industry person saying "if it can happen to M&S, it can happen to anyone" - it's ridiculous and defeatist given Marks and Spencer haven't shared any technical information about how it happened, other than to tell The Sunday Times it was "human error"
The Air Safety version of cyber industry would be a plane crashing into 14 other planes, and industry air safety people going "Gosh, if that can happen to British Airways it could happen to anybody!"
Tomorrow it’s one month since Marks and Spencer started containment, it’s also their financial results day.
Online ordering still down, all recruitment stopped, Palo-Alto VPNs still offline.
TCS have been linked to the Marks and Spencer breach, at least in part.
The NCA has confirmed on the record that the investigation into the M&S and Co-op hack is focused on English teenagers. I could toot the names of the people I think they’ll pick up, but won’t.
TCS has a security incident running around the M&S breach.
Interestingly the source claims TCS aren't involved in Co-op's IT - which is categorically false, they took over most of it while I worked there, including the helpdesk, and my team (SecOps) after I left.
https://www.ft.com/content/c658645d-289d-49ee-bc1d-241c651516b0
Take something from the shelf and when you reach the checkout, it costs twice as much! Nice!
@GossiTheDog This stuff is brilliant. Based on e-paper and runs on Zigbee.
And they can raise the prices between you picking things off the shelf and going through the checkout and you'll have no proof that it was offered at a lower price.
Distraction News Friday 🙂🤷♂️
@GossiTheDog pssscht. Like that would ever happen lol
@GossiTheDog e-paper price labels are apparently extremely common in mainland Europe. The UK is extremely slow to adopt things like this.
*In theory*, during an incident, the labels would remain as-is until they receive a new price. So TAs would specifically need to target the pricing database prior to wiping.
@GossiTheDog Want to guess how much of my IT leadership career has been focused on building in-house expertise and dialing back the presence of MSPs?
Enough that it's made for a pretty good living...
@GossiTheDog when I got my business degree, one of my management profs said that the instant you outsource, you give up control. To the service provider, you move from income to liability on the balance sheet because you now are costing them money, and to eke out any profit they need to cut costs related to providing service to you.
Thus you get all this *gestures vaguely*
@GossiTheDog I would love for IT to publish accident investigation reports in the same way as aviation.
No blame, no liability, no finger pointing, just lessons for everyone to learn and hopefully avoid the same.
(I know there have been some like the Irish Health Service that were excellent.)
@GossiTheDog yeah, breach the "low cost" IT outsourcer - whose staff feel little connection or affinity with the corporate customer - and *bingo* you hit the jackpot 🎰 with multiple corporate accounts to ransom.
How's that "low cost IT outsourcing" looking now?
@GossiTheDog I recall it was a "TCS_80_ip" list in Entra Id marked "Trusted"/"MFA exempt" that contained 80 ranges from /15 to /24...
Yet happily pivoting through 3 layer deep RDP to get to a system to manage 
Kevin Beaumont
Newk
Ivor Hewitt
Alda Vigdís
Simon Zerafa
Brian Smith
Philip Johansson 🏴☠️💜
ISO8601
RichBartlett 
Richard Bairwell
Flippin' 'eck, Tucker!
Graham Sutherland / Polynomial
Fennix
Otte Homan - remember Geordie
Dave 🐶
Michael Kohlman
Indieterminacy
Joel Michael
JP
Ray—Golden Retriever Whisperer—🔝Insights
O'Schell
Alex 
Matthew Skelton
Roger BW 😷
Chris Pitts
*sigh*Ber nard
Fritz Adalis
⊥ᵒᵚ⁄Cᵸᵎᶺᵋᶫ∸ᵒᵘ ☑️
Billy Smith
caskfan
Chris
Marcus The Board Gamer
MattChippytea
beemoh
Ollie 🇪🇺🏳️🌈🏳️⚧️
Rob\Viewdata UK