Cyber Incident Victim: The Co-operative Group
Date:
Jan 2025
Location:
United Kingdom
Summary
A cyberattack attributed to the Scattered Spider group using DragonForce ransomware targeted multiple UK retailers, including the Co-op, causing significant financial losses. The attackers employed sophisticated social engineering and compromised third-party credentials to infiltrate networks, conducting extensive reconnaissance before deploying ransomware. While the Co-op suffered substantial financial damages, its prior migration from legacy systems to cloud infrastructure mitigated operational disruption compared to peers facing prolonged system rebuilds. The incident underscored the targeted nature of attacks against retailers with large attack surfaces and limited IT budgets, prompting sector-wide enhancements in crisis communications, digital transformation, and specialized security teams focused on employee awareness and third-party risk management.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In 2025, the Scattered Spider cybercrime group executed a series of ransomware attacks against major UK retailers, including the Co-op, Marks & Spencer, and Harrods, causing extensive financial and operational damage. Attackers employed sophisticated social engineering tactics and leveraged compromised third-party credentials to gain initial access to corporate networks. After infiltration, they conducted prolonged reconnaissance activities to map systems and identify critical assets before deploying DragonForce ransomware. The Co-op suffered direct financial losses estimated at £206 million, while Marks & Spencer reported £300 million in damages, reflecting the severity of the encryption and data exfiltration events. These attacks disrupted retail operations during peak business periods, though the Co-op experienced comparatively less severe downtime due to its advanced cloud infrastructure migration. The incidents triggered immediate crisis response protocols across affected organizations, including forensic investigations to trace intrusion vectors and coordination with law enforcement agencies.
Parliamentary hearings and retail industry summits later analyzed the attacks, highlighting the Co-op’s proactive modernization efforts as a key factor in its resilience. Unlike Marks & Spencer, which required months to rebuild legacy systems compromised in the attack, the Co-op’s cloud-based architecture enabled faster containment and recovery. The breaches exposed systemic vulnerabilities across the retail sector, particularly its vast attack surface and historically constrained IT budgets. In response, retailers including Holland & Barrett and AllSaints initiated comprehensive upgrades to crisis communication protocols and accelerated digital transformation roadmaps. Several firms established dedicated "people security" teams to strengthen employee cybersecurity awareness programs and third-party vendor risk management frameworks, addressing the human-centric tactics exploited by Scattered Spider. The collective financial impact across all targeted retailers reached hundreds of millions of pounds, prompting sector-wide reassessments of ransomware preparedness and infrastructure modernization priorities.