The Co-operative Group (Co-op) has admitted that a cyber-attack on its systems in April has slashed its revenues by £206 million in the first half of the year.
The retail business was infiltrated by hackers following a similar attack on Marks & Spencer (M&S).
During the attack, Co-op was forced to temporarily shut down a number of systems and business services to contain the threat. The company’s stock monitoring was also impacted by the incident.
This lead to stock shortages at some of its stores, with the company attempting to circumvent the problem in remote communities by diverting its food and drink supplies to more isolated locations.
Co-op’s chief executive Shirine Khoury-Haq also admitted that all 6.5 million of its members had their data stolen in the cyber incident.
Fellow British retailer M&S told the BBC earlier this year that the cyber-attack it faced would cost it around £300 million in operating profits.
In June, the Cyber Monitoring Centre (CMC) classified the cyber attacks on the Co-op and M&S as a Category 2 systemic event in its first live public a assessment of the financial impact on the UK of a cyber incident.
The CMC – a non-profit organisation which aims to assess the severity of cyber incidents – estimated at the time that the total financial impact across affected parties would be between £270 million and £440 million.
Commenting on Co-op’s first financial results following the cyber-attack, Debbie White, chair of the company said: “The first half of 2025 brought significant challenges, most notably from a malicious cyber attack. Our balance sheet strength and the magnificent response of our 53,000 colleagues enabled us to maintain vital services for our members and their communities. We must now build our Co-op back better and stronger to meet the challenges and opportunities that lie ahead.”
Co-op boss Shirine Khoury-Haq expressed pride about the organisation’s response to the attack, with the business continuing to trade and launching a partnership with The Hacking Games to help prevent cybercrime by identifying young cyber talent.
“The cyber attack highlighted many of our strengths,” continued the chief exec. “But more importantly, it also highlighted areas we need to focus on – particularly in our Food business.
“We’ve already started on this journey, refining our member and customer proposition, making structural changes to our business, and setting our Co-op up for long-term success.”
The company said as it manages a reduced level of cyber impact during the second half of the year, it anticipates continued cost headwinds, global volatility and high competition.
Four people were arrested by the National Crime Agency in July in connection with the cyber-attacks against Co-op, M&S, and another less impactful incident at Harrods.
Following an investigation by the law enforcement agency, two males aged 19, another aged 17, and a 20-year-old female were apprehended in the West Midlands and London.
They were arrested on suspicion of Computer Misuse Act offences, blackmail, money laundering and participating in the activities of an organised crime group.
