The Co-op has revealed that it has lost approximately £206m ($277m) in revenue as a direct result of the “malicious” cyber-attack it experienced earlier this year.
The UK retailer provided insights into the financial fallout from the April incident in its H1 2025 financial report.
The lost revenue was a direct consequence of the Co-op temporarily shutting down a number of systems to contain the threat.
Overall, the company’s losses for the six-month period ending July 5, 2025, totalled £80m ($107m) as a result of the cyber-incident. The impact on sales from the attack is expected to continue in H2 2025.
No details have been provided on remediation costs, although a non-underlying one-off cost of £20m ($27m) was registered. It is not known whether this cost is related to the cyber-incident.
Co-op chief executive, Shirine Khoury-Haq, praised the retailer’s resiliency keeping essential services running during the incident, such as funerals and prioritizing food stocks to rural ‘lifeline’ stores.
She also noted that the incident highlighted areas the company needed to focus on, especially in the food business.
“We’ve already started on this journey, refining our member and customer proposition, making structural changes to our business, and setting our Co-op up for long-term success.”
Following the cyber-attack, Co-op launched a partnership with The Hacking Games to tackle youth disenfranchisement, which Khoury-Haq commented was “the root of many cyber threats.”
Ongoing Impact of Scattered Spider Attacks
The cyber-attack on the Co-op has been linked to the Scattered Spider group, a collective of English-speaking hackers affiliated to The Com online criminal outfit.
The incident occurred at a similar time to attacks on other high-profile UK retail brands Marks & Spencer (M&S) and Harrods, with authorities believing that all three are linked.
In July, UK law enforcement arrested four individuals, three of whom were teenagers, on suspicion of offenses relating to the three attacks.
Read now: Organizations Must Update Defenses to Scattered Spider Tactics, Experts Urge
M&S has also reported a substantial financial impact from the cyber-attack it faced, estimating total losses of £300m ($403M).
In July, executives from M&S and the Co-op gave evidence to a Parliamentary committee about the incidents.
M&S chairman, Archie Norman, confirmed the attack on the retailer’s systems was ransomware-related, but declined to say whether a payment was made to the threat actors.
Dominic Kendal-Ward, group secretary and general counsel at the Co-op, told the committee that the attackers were able to access member information during the time they were in the system, but this was limited to names, addresses and dates of birth.
Image credit: Sean Aidan Calderbank / Shutterstock.com
