A UK supermarket chain, the Co-op, said that the cyberattack it suffered earlier this year cost it about £206m ($276m) in revenue, estimating a massive £120m ($161m) hit to full-year profits.
The group reported an underlying loss before tax of £75m ($100.5m) in the six months to 5th July, compared with a profit of £3m ($4m) in the same period last year.
In addition to the cyberattack influencing profits, increased staffing costs and regulations also played a part, with the full cost of the attack expected to be much higher due to potential impact in the second half of the year.
A massive hit
The chief financial officer, Rachel Izzard, told Reuters: “We believe the hit to the half year is £80m ($107m), we believe the hit for the full year is £120m ($160m) and that’s inclusive of any [insurance] recovery.”
Izzard also disclosed that the company had limited insurance coverage:
“We had the front-end elements of cyber insurance in place in terms of the immediate response capabilities in the technology space for third parties but we don’t believe we will be claiming on insurance for back-end losses.”
Co-op’s total reported revenue was £5.48bn ($7.3bn) compared to £5.6bn ($7.5bn) it reported as total group revenue for the same period in 2024.
The cyberattack against Co-op has been linked to a ransomware operation called Scattered Spider.
Robert Elsey, the chief digital and information officer at the Co-op, said that attackers managed to infiltrate the company’s systems via social engineering, specifically by posing as one of the employees. According to members of the gang, the hacker group managed to steal private information of 20 million Co-op customers.
Shirine Khoury-Haq, CEO at Co-op, acknowledged that the personal data of 6.5 million current and former Co-op Group Members has been taken.
Business-destroying attacks
“Today, cyberattacks can be business-destroying, impacting almost every function, from customers to employees to operations and the bottom line. However, many business leaders still don’t recognise these consequences and under invest in defences, leaving their organisation exposed,” Simon Phillips, CTO of Engineering, CybaVerse, told Cybernews.
“Suffering losses of £206 ($276) million is astronomical, and few organisations would be able to survive from this. Fortunately for an organisation as large as the Co-op, it's been a heavy blow, but recoverable,” Phillips adds.
In July, the National Crime Agency (NCA) arrested four people suspected of being involved in the cyberattacks on Co-op, Marks & Spencer, and Harrods.
The incident at Marks & Spencer impacted the company’s contactless payment system and forced a 46-day suspension of online order processing for clothing and home goods.
In turn, in a cyberattack on Harrods, hackers attempted to gain unauthorised access to some of its systems.
Andy McKay, Head of IT and Cyber Security Services for Converged Communication Solutions, says that the Co-op’s reported losses give us a real window into the damage ransomware causes today.
“Many businesses balk at the cost of cyber security, seeing it as an optional spend that remediates IT issues and delivers no real return to the business. This is hugely wrong.
“The ROI of cyber is business continuity; safe, uninterrupted operations; the avoidance of putting sensitive customer, employee and corporate data at risk; the avoidance of regulatory compliance fines; and the avoidance of irreparable business, financial and reputational damage.
“We’ve seen a range of similar high-profile ransomware attacks on organisations this year, with the retailer M&S impacted to the tune of £300 million, while currently an ongoing attack against Jaguar Land Rover has ground the company’s production lines to a standstill, putting dozens of their suppliers at risk of collapse. The losses from this attack are reportedly reaching £50 million every week.”
McKay adds that for business leaders, this must serve as a wake-up call, prompting them to understand the real risks of under investment in cyber. “It’s not just technology at risk, everything can be at risk once an attacker gets into the network,” he says.
Your email address will not be published. Required fields are markedmarked