Co-op has shut down parts of its IT infrastructure to contain a cyberattack, marking the second major UK retail breach in two weeks amid escalating threats to the sector.
Co-op, a major UK cooperative operating across retail, insurance, legal, and funeral care, has proactively shut off parts of its IT infrastructure following attempted unauthorized access to its systems. The company confirmed that some back-office and call center systems were taken offline to contain the threat. While the cyber incident is still developing, all retail stores and funeral homes remain operational.
This makes Co-op the second major UK retailer to be affected by a cyberattack in just two weeks, following a similar breach involving Marks and Spencer (M&S). While speculation exists, no formal connection has been established between the two events.
According to Co-op, the response was a precautionary measure to prevent further compromise. Disabling vulnerable systems is a standard early containment tactic in cybersecurity, directed at stopping attackers' lateral movement before more sensitive infrastructure is reached.
Experts have commended the approach. Dray Agha, senior security operations manager at Huntress, said, “Shutting down virtual desktops and limiting back-end functions, while disruptive, is often a necessary measure to contain threats before they escalate.” He praised Co-op’s response as reflecting “a mature, proactive incident response posture.”
The wider cybersecurity community has noted that attacks on retail businesses are on the rise. Cybercriminals often start with low-level intrusions and escalate to data exfiltration or ransomware. M&S is believed to have been targeted by the Scattered Spider group, though this has not been confirmed. The Co-op breach appears to follow a similar pattern of initial access attempts.
A Co-op spokesperson shared: “We have recently experienced attempts to gain unauthorised access to some of our systems. As a result, we have taken proactive steps to keep our systems safe, which has resulted in a small impact on some of our back-office and call centre services.”
They stated that customer-facing operations, including stores and funeral services, are running as normal. “We are not asking our members or customers to do anything differently at this point. We will continue to provide updates as necessary.”
Retailers like Co-op are learning the hard way that cybersecurity isn’t just an IT issue; it’s a business continuity issue. With ransomware gangs getting bolder and more sophisticated, organizations are increasingly faced with difficult decisions to safeguard their systems and minimize disruption. Co-op’s decision to shut down systems quickly was a disruptive measure, but one that may have limited further damage. For the industry, it’s a reminder: the cost of being unprepared is much higher than the cost of being cautious.
Retailers hold large volumes of payment and personal data, making them attractive targets for ransomware and extortion attempts.
Lateral movement refers to when attackers, after gaining initial access, move deeper into an organization’s network to reach more valuable systems or data.
Virtual desktops can be exploited if compromised, but they also allow companies to isolate user environments quickly in response to a threat.
Disabling vulnerable infrastructure limits the attacker’s ability to spread or escalate the attack, helping contain the breach before more damage is done.
Early detection, decisive containment, and transparent communication are needed to minimize the impact of a breach and preserve public trust.