The Co-operative Group has revealed it lost £80 million ($107 million) from a cyberattack in April 2025, as the UK retailer disclosed the devastating financial impact in its interim results released this week.
The attack, attributed to the Scattered Spider cybercriminal collective working with DragonForce ransomware, forced the 181-year-old cooperative into a £75 million underlying pre-tax loss for the first half of 2025, compared to a £3 million profit in the same period last year.
Attack Timeline and Discovery
The cyberattack began on April 22, 2025, but wasn’t detected until April 30, when Co-op shut down critical IT systems after discovering unauthorized access. The timing proved particularly damaging, striking during the busy Easter weekend when retail operations typically peak. 
The attack forced Co-op to rebuild its Windows domain controllers and further extend system unavailability, causing widespread disruption across the company’s 2,300 food stores, 800 funeral homes, and financial services operations.
Financial Impact Breakdown
The £80 million hit comprises two main categories: £20 million in one-off additional costs and £60 million from lost sales while systems were down. The broader revenue impact reached £206 million ($277 million) across the six-month period.
Management estimates there will be an additional £20 million in losses in the second half as the recovery continues, though at a reduced level compared to the initial impact.
The retailer’s statutory operating results swung to a £56 million loss from a £35 million profit in the first half of 2024. Group revenue fell 2.1% to £5.48 billion, though excluding the cyber incident impact, revenue would have grown 1.5%.
Massive Data Breach
Hackers stole the personal data of all 6.5 million members during the April cyberattack, Co-op confirmed in July. The compromised information included names, contact details, addresses, email addresses, and phone numbers of current and former members.
Co-op emphasized that passwords, banking details, credit card information, and transaction data were not accessed. However, DragonForce claimed to have stolen data from 20 million people, though Co-op has not confirmed this larger figure.
Scattered Spider Attribution
Security researchers linked the attack to Scattered Spider, an English-speaking cybercriminal group known for sophisticated social engineering techniques. The attacks were first linked to Scattered Spider and The Com, two overlapping English-speaking hacking collectives, acting as a DragonForce affiliate.
The attack was part of a coordinated campaign against UK retailers. DragonForce, the white-label ransomware-as-a-service group claiming responsibility for all three attacks, also targeted Marks & Spencer and Harrods during the same period.
Law Enforcement Response
On July 10th, U.K.’s National Crime Agency arrested four young suspects (ages 17–20) linked to the Co-op cyberattack, as well as those at Marks & Spencer and Harrods.
The arrests are part of broader international law enforcement efforts against Scattered Spider. U.S. prosecutors have charged group members with stealing at least $115 million in ransom payments from victims across multiple industries.
Operational Disruption
The attack caused significant real-world disruption for customers and staff. Shoppers faced empty shelves and payment system failures across Co-op’s network. M&S insiders revealed how IT staff have been forced to sleep over in the office amid the chaos during similar attacks on other retailers.
Internal Co-op communications showed the security response’s scope, with VPN access suspended for all staff and employees advised to verify all Microsoft Teams meeting attendees on camera, suggesting concerns about compromised internal systems.
CEO Shirine Khoury-Haq told customers the cybercriminals were “highly sophisticated” and that managing the attack’s severity required suspending multiple services.
DragonForce Ransomware Operation
DragonForce had started out as a Malaysia-based hacktivist network supporting Palestinian causes, but since its emergence in the summer of 2023 it has pivoted to a hybrid model of political hacktivism and ransomware-enabled extortion.
The group operates a white-label ransomware-as-a-service model, allowing affiliates to use its tools while maintaining centralized control. DragonForce has introduced a new white-labelling service that lets affiliates wrap the ransomware in their own branding for an additional fee.
Recovery Efforts
Co-op has restored most systems and operations but expects continued financial impact in the second half of 2025. The cooperative’s £800 million liquidity position helped it navigate the crisis while maintaining essential services.
Chair Debbie White said: “The first half of 2025 brought significant challenges, most notably from a malicious cyber attack. Our balance sheet strength and the magnificent response of our 53,000 colleagues enabled us to maintain vital services for our members and their communities.”
The company has begun implementing structural changes and refining its member proposition as part of recovery efforts. Despite the attack’s impact, Co-op maintained its commitment to serving the 4.6 million households that rely on its services across the UK.
The £107 million loss represents one of the most significant financial impacts from a cyberattack disclosed by a UK retailer, highlighting the growing threat sophisticated cybercriminal groups pose to critical infrastructure and consumer services.
