Kevin BeaumontThe Grocer reports 4 regional Co-ops, who aren’t part of Co-op Group, are suffering stock shortages as they are supplied by Co-op Group.
They expect customers to start to see availability issues on shelves in the coming days.
For orgs looking for defence tips for the attacks on UK retailers, this blog from 2022 about the UK teenagers in LAPSUS$ has relevance.
As a plot twist - not documented anywhere online, but LAPSUS$ first attacks in 2021 were against UK high street retailers.
DEV-0537 criminal actor targeting organizations for data exfiltration and destruction | Microsoft Security Blog
The activity we have observed has been attributed to a threat group that Microsoft tracks as DEV-0537, also known as LAPSUS$. DEV-0537 is known for using a pure extortion and destruction model without deploying ransomware payloads.
For anybody wondering what 'dial into the incident response bridge' means, it means they'll literally Teams call into cyber IR bridges as themselves and just extort you to your face. They'll also call CISOs etc. Bad Times at the El Royale.
Marks & Spencer bureau de change staff are being forced to use pen and paper to serve customers as a result of the cyber attack on the retailer and cannot accept card payment. https://www.thisismoney.co.uk/money/markets/article-14696595/Hack-rocks-Marks-Spencer-bureau-change.html
Co-op Group have provided some more detail about what it’s doing about remote lifeline stores (ones where they’re the main/only retailer on an island):
“From Monday, 12 of the most remote lifeline stores will receive treble the volume of available product, and another 20 lifeline stores will get double the volume.” https://www.bbc.com/news/articles/c071e7x80djo
DragonForce Ransomware Cartel’s portal is back online after a multi week outage. No sign of M&S or Co-op’s data.
All M&S recruitment is still stopped, 19 days in. https://jobs.marksandspencer.com/
I think Co-op may have stopped recruitment too, they’re a big employer so usually have hundreds of open positions - currently they have 17, and most close today and the rest in a few days.
The Record quotes a Co-op worker as saying they are operating at well below 20% of their normal capacity in depots. https://therecord.media/co-op-cyberattack-uk-company-fears-hackers-still-in-system
Allianz supplies Marks and Spencer's cyber insurance, and will apparently suffer a full tower loss (i.e. it's going to be expensive) https://www.insuranceinsider.com/article/2esiwg4yv6p38pcf2pgxs/lines-of-business/cyber/allianz-leads-cyber-cover-for-m-s-ransomware-attack
People in Machynlleth are apparently turning up at local farms in search of food due to lack of produce at Co-op https://www.cambrian-news.co.uk/news/cyber-attack-people-turning-up-at-farms-as-machynlleth-co-op-shelves-remain-bare-792434
Co-op stores in Sheffield, Badenoch, Dunfermline and many other places are apparently running out of produce - it's not possible to keep up with the local media reports but they're basically bored reporters get sent out to photograph half empty fridges.
This ITV News report linking the Co-op and M&S breaches to SIM swapping is not accurate, no source given. https://www.itv.com/news/2025-05-12/sim-swap-fraud-rises-by-1000-as-criminals-exploit-two-factor-authentication
They also have a report today saying Co-op stores are restocked, which is also not accurate - that one is sourced from Co-op, but obviously doesn’t stack up to looking in Co-op stores.
If anybody is wondering, all of Marks and Spencer's Palo-Alto GlobalProtect VPN boxes are still offline, 3 weeks later. Pretty good containment method to keep attackers out.
Co-op's VDE environment is still down, too.
https://cyberplace.social/@GossiTheDog/114399017367179104
M&S confirm my toot from 3 days ago that a significant amount of customer and staff data was stolen. They’ve known for weeks but opted not to tell anybody. https://www.bbc.com/news/articles/c62v34zv828o
Re the Co-op Group breach, Co-op say home addresses of customers were exfiltrated (it was the membership database). This one dates back to my May 2nd toot upthread re home addresses - at the time, they didn't specify home addresses.
Co-op's AGM is this weekend, and M&S yearly results and investor contact are next week.
Gonna be awkward for different reasons, e.g. Co-op is member (customer) owned, so the people's data Co-op had stolen are effectively the shareholders and are invited.
The Channel Islands Coop, which is different to Co-op Group, has been able to restock shelves by moving away from Co-op Group for supply distribution and moving to local suppliers. https://www.bbc.co.uk/news/articles/c3d4xvg3x1do
The Grocer reports Nisa and Costcutter are running out of fruit & veg, fresh meat and poultry, dairy products, chilled ready meals, snacks and desserts.
Nisa and Costcutter are supplied by Co-op Wholesale, which is dependent on Co-op Group.
“It’s really poor. I feel bad for them but what makes it worse is their hush-hush mentality about it. There’s no proper level of communication and we get random updates.”
Co-op Wholesale claim there are no problems. https://www.thegrocer.co.uk/news/nisa-and-costcutter-hit-by-stock-shortages-amid-co-op-cyberattack/704393.article
A look at supplies in stores today, after Co-op told ITV yesterday that stores were restocked 😅
And a video
Co-op Group have told their suppliers that "systemic-based orders will resume for ambient, fresh, and frozen products commencing Wednesday 14 May". They say forecasting system will still be impacted.
https://www.thegrocer.co.uk/news/co-op-to-get-systems-back-on-track-after-cyberattack/704425.article
Harrods say they are not asking customers to do anything differently at this point.
Financial Times report Marks and Spencer expect to claim £100m on their cyber insurance, the maximum allowed, suggesting losses probably more. https://www.ft.com/content/723b6195-1ce7-4b5f-94f5-729e9152c578
Co-op Group say they have exited containment and begun recovery phase https://www.theguardian.com/business/2025/may/14/co-op-cyber-attack-stock-availability-in-stores-will-not-improve-until-weekend
Marks and Spencer are still in containment
If you want figures for your board to set expectations in big game ransomware incidents, Co-op containment just over 2 weeks, M&S just over 3 weeks so far - recovery comes after.
In terms of external assistance, Co-op have Microsoft Incident Response (DART), KPMG and crisis comms. M&S have CrowdStrike, Microsoft, Fenix and crisis comms.
The threat actor at Co-op says Co-op shut systems down, which appears to have really pissed off the threat actor. This was the right, and smart, thing to do.
While I was at Co-op we did a rehearsal of ransomware deployment on point of sale devices with the retail team, and the outcome was a business ending event due to the inability to take payments for a prolonged period of time. So early intervention with containment was the right thing to do, 100%.
Co-op Group recruitment looks like it is starting again, first new roles in two weeks posted. https://hcnq.fa.em2.oraclecloud.com/hcmUI/CandidateExperience/en/sites/CX/jobs
Marks and Spencer say food distribution to their stores is returning to normal. It follows Co-op's announcement yesterday that food and drink distribution will begin to return to normal from the weekend. https://www.reuters.com/business/retail-consumer/uks-ms-says-food-availability-improving-every-day-2025-05-15/
27 new jobs at Co-op added today, and it's only midday. So recruitment was definitely paused for two weeks and now active again.
M&S have finally told staff that data about themselves was stolen: https://www.telegraph.co.uk/business/2025/05/16/ms-staff-data-stolen-by-hackers-in-cyber-attack/
You may notice I said they had staff data stolen on May 9th in this thread.
For the record, the tools listed in this article aren't used by Co-op.
The link in the article to Vectra Cognito AI has a Coop Sweden logo on it, and the Coop Sweden CISO is named. Coop Sweden is different company. Coop Sweden went on to have a ransomware attack that crippled the org, including point of sale, so I don't think it's a good sales point. Same with Silverfort.
Google AI has ingested the article and now uses it to claim Co-op Group use the tools.
M&S recruitment is still fully stopped, almost a month in. Co-op opened 46 new vacancies today.
Marks and Spencer’s CEO will lose a £1.1m share grant as a result of their cyber incident. https://www.ft.com/content/43531d25-4f7a-4d6e-b809-e85bb8f0033e
The Times reports M&S were breached through a contractor and that human error is to blame. (Both M&S and Co-op use TCS for their IT Service Desk).
The threat actor went undetected for 52 hours. (I suspect detection was when their ESXi cluster got encrypted).
M&S have told the Times they had no “direct” communication with DragonForce, which is code for they’re using a third party to negotiate - standard practice.
https://www.thetimes.com/uk/technology-uk/article/m-and-s-boss-cyber-attack-7d9hvk6ds
M&S looks to be moving to reposition their incident as a third party failure, which I imagine will help redirect some of the blame (they present their financial results during the week to investors): https://www.bbc.co.uk/news/articles/cpqe213vw3po
Both M&S and Co-op outsourced their IT, including their Service Desk (helpdesk), to TCS (Tata) around 2018, as part of cost savings.
There's nothing to suggest TCS itself have a breach btw.
Basically, if you go for the lowest cost helpdesk - you might want to follow the NCSC advice on authenticating password and MFA token resets.
I've put a 3 part deep dive blog series coming out probably next week called Living-Off-The-Company, which is about how teenagers have realised large orgs have outsourced to MSPs who follow the same format of SOP documentation, use of cloud services etc. Orgs have introduced commonality to surf.
The Office of the Privacy Commissioner for Personal Data (PCPD) has confirmed that Marks and Spencer (M&S) Hong Kong has not informed it of a recent customer data leak, nor responded to its enquiries. https://hongkongfp.com/2025/05/19/ms-hong-kong-not-responding-to-privacy-commissioners-office-after-online-customer-data-breach/
"Cyber analysts and retail executives said the company had been the victim of a ransomware attack, had refused to pay - following government advice - and was working to reinstall all of its computer systems."
Not sure who those analysts are, but since DragonForce haven't released any data and M&S won't comment other than to say they haven't had any "direct" contact with DragonForce, I wouldn't make that assumption.
There's also a line in the article from an cyber industry person saying "if it can happen to M&S, it can happen to anyone" - it's ridiculous and defeatist given Marks and Spencer haven't shared any technical information about how it happened, other than to tell The Sunday Times it was "human error"
The Air Safety version of cyber industry would be a plane crashing into 14 other planes, and industry air safety people going "Gosh, if that can happen to British Airways it could happen to anybody!"
Tomorrow it’s one month since Marks and Spencer started containment, it’s also their financial results day.
Online ordering still down, all recruitment stopped, Palo-Alto VPNs still offline.
TCS have been linked to the Marks and Spencer breach, at least in part.
I made this point a few weeks ago, but... outsourcing all your IT, Networks, Service Desk (helpdesk) and operational cybersecurity is a temporary cost saving and basically paints a ticking timebomb on the org, IMHO.
M&S say online ordering will be stopped until sometime in July, and it has taken a £300m hit, far higher than analysts had predicted. https://www.bbc.co.uk/news/articles/c93llkg4n51o
Their CEO has commented they’ve drawn a line under the hack, without recovering, which has a bit of this energy honestly
The NCA has confirmed on the record that the investigation into the M&S and Co-op hack is focused on English teenagers. I could toot the names of the people I think they’ll pick up, but won’t.
The CEO of M&S has declined to comment if they have paid a ransom. For the record: I’ve heard they have, in secret, via their insurance. https://www.reuters.com/business/retail-consumer/ms-says-cyber-attack-was-result-human-error-declines-comment-ransom-2025-05-21/
Co-op Group announces it's getting rid of paper prices in stores, going to electric displays. Good luck during a ransomware incident 😒
TCS has a security incident running around the M&S breach.
Interestingly the source claims TCS aren't involved in Co-op's IT - which is categorically false, they took over most of it while I worked there, including the helpdesk, and my team (SecOps) after I left.
https://www.ft.com/content/c658645d-289d-49ee-bc1d-241c651516b0
Insurance Insider say Co-op Group have no cyber insurance policy.
It’s got the insurance industry hard as they think they can ambulance chase other orgs with it.
Seven weeks in, Marks and Spencer still have recruitment closed, online orders stopped and no Palo-Alto GlobalProtect VPN.
While Co-op have restored every customer facing system and internal systems like recruitment and remote working, M&S still don't even have recruitment back.
I'm reliably told they paid the ransom, so they'll be target #1 basically forever with other ransomware groups now due to resiliency woes and willingness to pay.
Marks and Spencer's remuneration committee have opted not to dock the CEOs pay as expected and prior reported over the cyber incident, but instead increased it by £2m.
https://www.bbc.co.uk/news/articles/c23mz5eg091o
https://www.bbc.co.uk/news/articles/c23mz5eg091o
Marks & Spencer is holding walk-in in-store recruitment open days to fill vacant roles while its online hiring system remains offline following its ransomware attack in April. https://www.thegrocer.co.uk/news/mands-stores-staging-walk-in-recruitment-open-days-amid-cyberattack-disruption/705189.article
This Daily Mail piece about security leaders thinking work-from-home means they will be crippled is horseshit, I'm not linking it.
They've taken a survey about how security people think their businesses couldn't survive ransomware, and linked it to working from home. WFH isn't the problem: business IT and resilience being built on quicksand is the problem.
Craig Stewart@GossiTheDog the daily mail publishing click bait headlines with sensationalist takes that fit the narrative the rich and powerful want to push? Who could have predicted that ahead of time?
SecureWaffle🧇@GossiTheDog
Sounds like their companies rely on a hard outer shell and a squishy inside defense and nearly no layers of security.
Sounds like their companies rely on a hard outer shell and a squishy inside defense and nearly no layers of security.
Rose@SecureWaffle @GossiTheDog always zero trust, never squishy architecture
Walker@GossiTheDog Daily Mail absurdity aside, there is an argument to be made the WFH does increase risk.... IF the organization does not take basic steps to secure the environment.
Using early 2000s security posture of parameter logic will result in insecurity with WFH. Security leaders need to address the risk appropriately.
The challenges are not huge and can be mitigated with a little thought and care with technology such as Zero Trust, EDR, VPN, basic security hygiene, and user training and awareness.
WFH employees will still get compromised but with basic protections the damage will be isolated and not need to spread through the environment.
Osma A 🇫🇮🇺🇦Using early 2000s security posture, staff working from offices are an incredible risk to the organization. They will be compromised just as fast there, while also being inside a physical perimeter.
@Walker @GossiTheDog
@Walker @GossiTheDog
piofthings@GossiTheDog anything to discredit wfh!
Bebadefabo@GossiTheDog bankers are so afraid of WFH destroying the commercial real estate market, they'll pay for all kinds of bogus studies and make sure they get published and repeated far and wide to attempt to stop the wave of progress and modernization that is WFH. WFH is better for EVERYONE except the bankers who own your office. Fuck them. Fuck companies that capitulate to bankers and enact RTO policies to get preferential lending rates. Stay home
fuzzyfuzzyfungus@GossiTheDog Looks like a product of the "a good lie contains as much truth as possible" school.
The connection to WFH is spurious; but only two thirds sounds low for "We don't really understand our problems; but they are probably apocalyptic".
Ed@GossiTheDog only two thirds of security leaders think that if they got successfully ransomwared that it could 'cripple' their business? I guess some people are just really confident in their incident response.
@GossiTheDog The 'WFH' allegations seem in especially bad faith given the suspected entry point for the M&S compromise: the outsourced helpdesk.
Those guys are even more compliant labor than work-not-from-home employees, so the Daily Heil isn't going to say anything; but lack even the (informal; but in practice often at least reasonably effective) "does the IT person you just poked recognize who is interrupting with a password question?" ID verification step with onsite workers and onsite IT.
Misuse Case@fuzzyfuzzyfungus @GossiTheDog Indeed, the way many organizations get got is through poorly secured third-party service providers. Not employees doing WFH.
Martin Vermeer FCD@GossiTheDog Nice job if you can get it
Dylan </closingtags.com>@GossiTheDog Incredible. I'm sure the blame will be passed on to some lowly IT personnel and the leadership will take none of it. Leadership loves taking credit for profits but when it comes to losses, that's not on them.
Merry ChristmasMarks and Spencer abandoned my city to take themselves out in the sticks where the only way to get to them from here, is by car, so I have abandoned Marks and Spencer's, they have nothing really original anyway.
@GossiTheDog The greatest lie Office Space ever told is that "What would you say you do here?" is primarily a question to be asked down rather than up.
VessOnSecurity@GossiTheDog I guess, compared to that, paying the ransom was just peanuts, yes?
AnneH@bontchev @GossiTheDog haha pay the CEO eye-watering amounts so that if you get ransomed it's cheap😂
sigi714@GossiTheDog RaaCEOS
Joel Michael@GossiTheDog CISO is an ablative role
Otte Homan - remember Geordie@GossiTheDog we/they/someone/anyone *really* need to think very hard about how to properly redo absolutely secure internet facing IT systems.
Alan Miller 
🇺🇦@GossiTheDog guess they're going to need to fully embrace "it's *when* you get hacked not *if* you get hacked."
groff@GossiTheDog If they paid it did them precisely no good and put an even bigger target on their back. Stupid decision that will see their premiums go up massively.
@GossiTheDog any indication that the Sophos report here: https://news.sophos.com/en-us/2025/05/27/dragonforce-actors-target-simplehelp-vulnerabilities-to-attack-msp-customers/ is linked to TCS?
JP@GossiTheDog The sla got reset because the helpdesk marked the ticket closed, reopen if the problem persists.
@GossiTheDog That is really surprising. I wonder why they didn't?
Dave 🐶@GossiTheDog TCS will find a low-level engineer/analyst and their manager to fire. Say they've dealt with it and it'll never happen again.
NewkTake something from the shelf and when you reach the checkout, it costs twice as much! Nice!
HighlandLawyer@Newk @GossiTheDog
Which in the UK would be a criminal offence (under the law as it currently stands).
Which in the UK would be a criminal offence (under the law as it currently stands).
Ivor Hewitt@GossiTheDog I guess it's low risk since the electronic displays are basically paper - Dumb eink displays that you update via RFID from a handheld. (The ones I saw in the local coop worked that way anyway.)
Jernej Simončič �@ivor @GossiTheDog 3 or 4 years ago I was doing some IT work at a client while they had a demonstration of these eInk price displays. Those updated through IR, with special lamp fixtures with lots of mirrors on the ceiling – quite interesting technology, and I've since noticed those lamps at retailers that use this type of price displays. This can be tied directly into ERP, so as soon as you change the price in your accounting software, it can be changed on the shelf.
Alda Vigdís@GossiTheDog This stuff is brilliant. Based on e-paper and runs on Zigbee.
And they can raise the prices between you picking things off the shelf and going through the checkout and you'll have no proof that it was offered at a lower price.
punIssuer@alda all you need is a smartphone or digital camera (Polaroid would work too, but might be a bit costly)
@GossiTheDog
@GossiTheDog
RichBartlett 
@GossiTheDog and so the ransomware machine grinds on. Ffs.
Richard Bairwell@GossiTheDog > I could toot the names of the people I think they’ll pick up, but won’t. < Encrypt them with GPG and release the key afterwards?
Flippin' 'eck, Tucker!@GossiTheDog I took that to mean that they (or more likely the analysts they hired) have concluded it's cheaper/quicker/safer to rebuild new systems from scratch than to continue any further recovery. So drawing a line in a financial & investigative sense, rather than saying that £300 million is just a scratch.
@GossiTheDog And rebuilding from the ground up would seem to tie in with their statement about online orders being unavailable until at least July and then "ramping up" after that.
Graham Sutherland / Polynomial@GossiTheDog I must admit to not being particularly enamoured by the overall concept of third party identity security services.
Fennix@GossiTheDog how do in register a future "I told you so" without disclosing who it's for? Asking for a friend...
@GossiTheDog unless maybe you outsource, but to a bunch of different providers, spreading risk? ie use local OpenLDAP as an organisation management tool (does not eerste a huge amount of resources, then set up mail with A, storage with B, web with C, etc. ?
@GossiTheDog I can imagine many business leaders going "oh, it's okay, we don't use TCS, we have another outsourced supplier..."
Michael Kohlman@GossiTheDog Want to guess how much of my IT leadership career has been focused on building in-house expertise and dialing back the presence of MSPs?
Enough that it's made for a pretty good living...
@GossiTheDog Its rather hypocritical that the Coop would be wading into the outsourcing game
@GossiTheDog Every company is a computer company now
@jpm @GossiTheDog this is how we know the species is doomed.
Ray—Golden Retriever Whisperer—🔝Insights@GossiTheDog when I got my business degree, one of my management profs said that the instant you outsource, you give up control. To the service provider, you move from income to liability on the balance sheet because you now are costing them money, and to eke out any profit they need to cut costs related to providing service to you.
Thus you get all this *gestures vaguely*
O'Schell@GossiTheDog I would buy one of those action that goes up when it goes done ! Would that be considered 'outsider trading' ?