coop availability shortages empty supermarket shelves (2)

As Co-op tried to extract hackers from its systems, it was forced to halt deliveries to stores

Co-op’s systems are “now stable” and the retailer is making “significant progress towards a full and complete recovery” following a cyberattack which devastated the convenience retailer’s availability.

In a statement this morning, the company’s group CEO Shirine Khoury-Haq said there was “still work to do to unwind the operational and technical impacts of the actions we had to take to block the criminals” but that food stores are now well supplied with product, and Co-op’s other businesses are back online and serving customers.

Co-op first revealed it had shut down parts of its IT estate at the beginning of May. Initially, it said the damage was limited to “a small impact to some of our back office and call centre services”. Days later, as it experienced “sustained malicious attempts by hackers”, the retailer said the hackers had been able to access data from one of its systems associated with current and past members including names, residential addresses, email addresses, phone numbers and dates of birth, but not passwords or bank and credit card details.

As it tried to extract hackers from its systems, it was forced to halt deliveries to stores. As a result, widespread availability issues crippled stores across the country through last month. Co-op wrote to suppliers warning them “we are currently unable to place orders until further notice”. In a communication seen by The Grocer, the retailer requested they “do not send deliveries to Co-op depots” without a direct go-ahead.

Khoury-Haq gave special thanks to the retailer’s technology and information security staff, whom she said were “true superheroes”.

“What they have done for us, our partners, our peers, our members and our customers in the face of a sustained and highly sophisticated attack was nothing short of heroic,” she said.

“You always learn lessons in difficult times and we are coming out of this stronger and more effective than before,” Khoury-Haq added.

Co-op’s struggle comes amid a spate of cyberattacks on UK retailers, among them M&S and Harrods. The cyberattack on Marks & Spencer cost the retailer £43m a week in lost sales, according to analysis by Bank of America Global Research.

Late last month, the supermarket said it was expecting a £300m hit to profits, and while the retailer said food availability in stores was now starting to improve, it expects the online disruption to continue into July. That’s because “turning this system back on is quite complex”, M&S boss Stuart Machin said at the retailer’s annual results. “We’ve been cleansing our whole digital estate. We have over 600 applications and ­thousands of servers,” he added.

For all affected businesses there remains an unknown regarding a potential fine from the Information Commissioner’s Office (ICO), which enforces data protection regulation. The maximum fine is £17.5m or 4% of annual turnover, whichever is higher.

There is also the prospect of class action data lawsuits from affected customers. A law firm promising M&S customers compensation over a data breach says it has signed up more than 300 claimants, a week after going public with the action.