Kevin BeaumontThis ITV News report linking the Co-op and M&S breaches to SIM swapping is not accurate, no source given. https://www.itv.com/news/2025-05-12/sim-swap-fraud-rises-by-1000-as-criminals-exploit-two-factor-authentication
They also have a report today saying Co-op stores are restocked, which is also not accurate - that one is sourced from Co-op, but obviously doesn’t stack up to looking in Co-op stores.
If anybody is wondering, all of Marks and Spencer's Palo-Alto GlobalProtect VPN boxes are still offline, 3 weeks later. Pretty good containment method to keep attackers out.
Co-op's VDE environment is still down, too.
https://cyberplace.social/@GossiTheDog/114399017367179104
Co-op's AGM is this weekend, and M&S yearly results and investor contact are next week.
Gonna be awkward for different reasons, e.g. Co-op is member (customer) owned, so the people's data Co-op had stolen are effectively the shareholders and are invited.
The Grocer reports Nisa and Costcutter are running out of fruit & veg, fresh meat and poultry, dairy products, chilled ready meals, snacks and desserts.
Nisa and Costcutter are supplied by Co-op Wholesale, which is dependent on Co-op Group.
“It’s really poor. I feel bad for them but what makes it worse is their hush-hush mentality about it. There’s no proper level of communication and we get random updates.”
Co-op Wholesale claim there are no problems. https://www.thegrocer.co.uk/news/nisa-and-costcutter-hit-by-stock-shortages-amid-co-op-cyberattack/704393.article
Co-op Group have told their suppliers that "systemic-based orders will resume for ambient, fresh, and frozen products commencing Wednesday 14 May". They say forecasting system will still be impacted.
https://www.thegrocer.co.uk/news/co-op-to-get-systems-back-on-track-after-cyberattack/704425.article
Co-op Group say they have exited containment and begun recovery phase https://www.theguardian.com/business/2025/may/14/co-op-cyber-attack-stock-availability-in-stores-will-not-improve-until-weekend
Marks and Spencer are still in containment
If you want figures for your board to set expectations in big game ransomware incidents, Co-op containment just over 2 weeks, M&S just over 3 weeks so far - recovery comes after.
In terms of external assistance, Co-op have Microsoft Incident Response (DART), KPMG and crisis comms. M&S have CrowdStrike, Microsoft, Fenix and crisis comms.
The threat actor at Co-op says Co-op shut systems down, which appears to have really pissed off the threat actor. This was the right, and smart, thing to do.
While I was at Co-op we did a rehearsal of ransomware deployment on point of sale devices with the retail team, and the outcome was a business ending event due to the inability to take payments for a prolonged period of time. So early intervention with containment was the right thing to do, 100%.
M&S have finally told staff that data about themselves was stolen: https://www.telegraph.co.uk/business/2025/05/16/ms-staff-data-stolen-by-hackers-in-cyber-attack/
You may notice I said they had staff data stolen on May 9th in this thread.
For the record, the tools listed in this article aren't used by Co-op.
The link in the article to Vectra Cognito AI has a Coop Sweden logo on it, and the Coop Sweden CISO is named. Coop Sweden is different company. Coop Sweden went on to have a ransomware attack that crippled the org, including point of sale, so I don't think it's a good sales point. Same with Silverfort.
Google AI has ingested the article and now uses it to claim Co-op Group use the tools.
Ollie 🇪🇺🏳️🌈🏳️⚧️🇵🇸🇺🇦
Rob\Viewdata UKThis was yesterday evening in my local co-op store (close to central Manchester.) Still lots of empty spaces on the shelves.
Ben Gillam 
Gary Parker 
Ben Hardill
VessOnSecurity
Philipp Blum
Ben HammondThe quote
> They torched shareholder value
made me laugh
they have no idea what the Coop is
John KellyJust glad some of the lessons sank in....
Dave 🐶Confident on containment within 2 weeks?
Dr. Christopher Kunz
Ivor Hewitt
lambtor
thanneAmbient is shop-speak for stuff that is kept at room temperature. So biscuits, tea and coffee, tinned stuff, etc.
lp0 on fire 
@GossiTheDog, TP;DR.
(Too portrait; didn't watch.)
CabbageBeets
Phil
John Francis 🦫🇨🇦🍁💪⬆️@GossiTheDog the thieves could probably show up at the AGM and present themselves as a member, since they have access to all the information the Co-Op has on it's membership...number, address, etc.
Short of checking govt. ID or requiring a hard copy of the meeting invite that was mailed to their address. Even then, the thieves might've gotten away with that too.
@johnefrancis @GossiTheDog
Members who wanted to attend were supposed to indicate this on the agm voting form, which closed midday yesterday. I might have tried, but forgot to go back to it until too late..
I've not had any emails from coop about this, despite being a member. Nor from M&S, though I'm only registered on their app. (I can also continue to ignore Harrods, never having used them!)
And 45 mins later I get an email from M&S. Nice of them to reassure us that none of the stuff I can change, like bank cards, was stolen. Only the things I can't change, like date of birth.
Hywel Mallett
Everyday.Human Derek
greem@GossiTheDog Incident response specialists the world over wince into their keyboards.
This is another object lesson in how not to do it. It'll be taught to students in future.
Darran Lofthouse
Andy Herd@GossiTheDog I can only hope this data breach is the kick up the arse needed to abolish the common practice of using date of birth as an (immutable!) security password. Once it’s public knowledge it’s beyond useless… it’s a liability. Especially in banks.
I will not be holding my breath on this one.
Alexander Dyas"Importantly, there is no evidence that the information has been shared," he added.
That's fine then, because that will never happen.
Mike Spooner
shoaibusman88
Dr. David McBride (dwm)
Neil Brutalist