Co-op shuts down part of IT network after cyberattack attempt

Experts commend “effective containment strategy”

The Co-operative Group has been forced to temporarily shut down parts of its IT infrastructure following an attempted cyberattack

The Co-operative Group has been forced to temporarily shut down parts of its IT infrastructure following an attempted cyberattack, just days after Marks & Spencer (M&S) suffered a significant cybersecurity breach.

In a letter to staff sent Tuesday and seen by The Guardian, the Co-op confirmed it had "taken steps to keep systems safe" by pre-emptively withdrawing "access to some systems for the moment."

The move impacts internal business operations across several divisions, including grocery retail and legal services.

The group, which operates more than 2,000 grocery stores and over 800 funeral parlours, acknowledged that services used by back-office teams and those managing store operations had been curtailed.

Sources familiar with the matter revealed that the stock monitoring system is among those affected, warning that some shelves could see shortages if the issue persists.

Remote work capabilities have also been restricted. As of Wednesday, some employees were unable to access systems from home after the company blocked virtual desktops.

Despite the disruption, all Co-op retail stores, including rapid delivery services, and funeral homes continue to operate as normal.

"We have recently experienced attempts to gain unauthorised access to some of our systems," a Co-op spokesperson told The Guardian.

"As a result, we have taken proactive steps to keep our systems safe, which has resulted in a small impact to some of our back office and call centre services."

The National Cyber Security Centre (NCSC) confirmed it is working with the Co-op in response to the incident and is also investigating the attack on M&S, exploring possible links between the two.

At present, the Co-op has not reported any compromise of customer data.

"We are not asking our members or customers to do anything differently at this point," the spokesperson said, adding that the business would continue to provide updates as needed.

The attempted cyberattack comes at a time when the Co-op has been increasingly investing in technology as part of efforts to reduce operational costs and combat retail crime. The group has recently rolled out innovations such as electronic shelf-edge pricing and is expanding its fast-track online delivery service.

While the company works to bring affected systems back online, internal sources say the focus remains on minimising operational disruption and ensuring cyber defences are strengthened across the board.

"The Co-op's decision to proactively shut down parts of its IT systems following a cyber threat, whilst keeping essential business operations running, is a strong example of an effective containment strategy in action," said Raghu Nandakumara, Head of Industry Solutions at Illumio.

"Unlike many organisations, which are forced to halt operations entirely after attacks, the Co-op appears to have protected its most critical services and maintained business continuity. This kind of resilience reflects a shift towards a containment mindset: ensuring that even when under attack, essential services remain operational while the root cause is investigated and resolved."

Adam Casey, Director of Cybersecurity & CISO at Qodea commented on the vulnerability of large retailers to cyberattacks.

“Large retailers have intricate IT infrastructures with numerous interconnected systems, resulting in a high number of potential entry points for attackers. At the same time, cybercriminals are leveraging AI to craft convincing phishing emails, develop smarter malware, and automate their operations – making attacks faster, more targeted, and harder to detect.

“Shutting down affected systems is a standard and crucial step in managing a significant cyber incident. Isolating compromised systems limits the attacker's ability to move laterally within the network and infect other critical infrastructure. This move also helps to contain the damage, as shutting down systems can prevent further data encryption, exfiltration, or corruption. Drawing operations to a halt also allows cybersecurity experts to safely analyse the affected systems, identify the root cause, and implement necessary fixes without the risk of further interference."

M&S cyber crisis erases almost £700 million from market value

The incident comes as Marks and Spencer (M&S) continues to grapple with a severe operational crisis following a suspected cyberattack, which has erased almost £700 million from its market valuation over the past week.

The IT chaos, which first came to light last week, escalated significantly by last Friday when M&S was forced to halt online orders for its clothing and homeware divisions – a segment that generated £1.27 billion in sales last year, averaging around £3.5 million per day.

On Monday, the company communicated to some customers that it remained uncertain how long it would take to restart these online operations.

The disruption has had immediate knock-on effects on staffing. Approximately 200 agency workers at M&S's main online distribution centre in Leicestershire were instructed to stay home due to the drastic reduction in orders needing fulfilment.

In-store operations have also been significantly impacted. The financial repercussions have been stark. M&S shares dipped over 2% on Monday morning, contributing to a total decline of 7% since the IT issues were first disclosed.

This slump translates directly to a £678 million reduction in the company's market capitalisation during that period.

M&S has formally reported the incident to the Information Commissioner's Office (ICO), adhering to the requirement for organisations to report significant data breaches within 72 hours of becoming aware of them.

The retailer is also collaborating with the NCSC to manage its response to the breach.