Incident Types: The types of cybersecurity incidents that have occurred include Ransomware and Cyber Attack.

Total Financial Loss: The total financial loss from these incidents is estimated to be $990 million.

Detection and Response: The company detects and responds to cybersecurity incidents through an containment measures with taking multiple systems offline, containment measures with engaging with the uk’s national cyber security centre (ncsc), and communication strategy with notifying affected members, and law enforcement notified with yes, and containment measures with shut down several it systems, and communication strategy with public apology by ceo, and communication strategy with public disclosure by threat actors (e.g., scattered spider), communication strategy with expert warnings about underreporting, and third party assistance with cybersecurity firms (e.g., ncc group), third party assistance with threat intelligence providers, and containment measures with isolation of infected systems, containment measures with disabling compromised accounts, containment measures with blocking malicious ips, and remediation measures with patching zero-day vulnerabilities, remediation measures with enhancing endpoint detection, remediation measures with updating pdf reader software, and recovery measures with restoring backups, recovery measures with rebuilding payment systems, recovery measures with customer notification campaigns, and communication strategy with limited public disclosure by victims, communication strategy with press statements by cybersecurity experts, communication strategy with advisories to supply chain partners, and network segmentation with recommended for payment systems, and enhanced monitoring with for weaponized pdfs, enhanced monitoring with ai-generated phishing attempts, and incident response plan activated with yes (restrictions placed on systems), and containment measures with system restrictions, containment measures with blocked 4,000 ransomware attempts per minute, and remediation measures with gradual system restoration, remediation measures with leadership review, and recovery measures with phased reboot of it systems, recovery measures with operational adjustments in food business, and communication strategy with public disclosure (july 2023), communication strategy with ceo apology, communication strategy with transparency in financial reports, and incident response plan activated with yes (systems temporarily shut down to contain threat), and containment measures with shut down affected it systems, containment measures with isolated compromised accounts, and remediation measures with prioritized essential services (e.g., funerals, rural stores), remediation measures with supported independent co-op societies and franchise partners, and recovery measures with resumed expansion plans (30 new openings in h2 2025), recovery measures with overhauled leadership, recovery measures with formed new commercial and logistics division, and communication strategy with public disclosure in july 2025, communication strategy with offered £10 discount to members as compensation, communication strategy with media statements by ceo and chairwoman, and and containment measures with partial shutdown of it systems, and recovery measures with entered recovery phase after 2 weeks, recovery measures with maintained trading during disruption, and communication strategy with public announcements on financial impact, communication strategy with statements from chair (debbie white) and ceo (shirine khoury-haq), communication strategy with emphasis on colleague resilience and member support, and and containment measures with temporary shutdown of it systems, containment measures with prevented further ransomware deployment, and recovery measures with prioritized essential services (e.g., funerals), recovery measures with stock prioritization for rural 'lifeline' stores, recovery measures with support for independent co-op societies and franchise partners, recovery measures with £10 discount for members (on £40 shop), and communication strategy with public disclosure in july 2025, communication strategy with statements by chairwoman (debbie white) and ceo (shirine khoury-haq), and incident response plan activated with yes (within minutes of detection), and containment measures with immediate account lockdown, containment measures with malware blocking, containment measures with layered cyber defenses, and remediation measures with system restoration (ongoing), remediation measures with enhanced monitoring, and recovery measures with prioritization of critical services (e.g., vulnerable communities), recovery measures with partnership with *the hacking games* to address root causes, and communication strategy with public disclosure of financial impact, communication strategy with media statements by executives (e.g., rob elsey, shirine khoury-haq), and enhanced monitoring with yes (continuous investment in layered defenses), and incident response plan activated with yes (front-end elements of cyber insurance utilized for immediate response), and third party assistance with yes (technology space third parties via cyber insurance), and remediation measures with refining member and customer proposition, remediation measures with structural changes to the food business, remediation measures with disciplined approach to investment to manage cyber impact in h2 2025, and third party assistance with digital forensics teams, third party assistance with legal counsel, third party assistance with it recovery experts (via cyber insurance), and recovery measures with data backups, recovery measures with encryption, recovery measures with secure storage practices, and communication strategy with crisis communications (covered by cyber insurance), and enhanced monitoring with threat intelligence, enhanced monitoring with network monitoring, and communication strategy with public disclosure via proton data breach observatory; advisory to monitor accounts/bank statements..

Common Attack Types: The most common types of attacks the company has faced is Cyber Attack.

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Social engineering and password reset, weaponized PDFsphishing emailszero-day exploits, weaponized PDFsphishing emailsunpatched softwarestolen credentials, Staff Impersonation, Social engineering (impersonation of workers to trick employees), Social Engineering (Impersonation of Employee) and third-party access control vulnerability (Marks & Spencer).

Average Financial Loss: The average financial loss per incident is $76.15 million.

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Names, Residential Addresses, Email Addresses, Phone Numbers, Dates Of Birth, , Contact Information, , Customer Data, Pii, Payment Information, Operational Data, , Pii, Payment Card Data, Corporate Emails, Supply Chain Data, , Personal Identifiable Information (Pii), , Personal Data (Members), , Personal data (members), Personally Identifiable Information (Pii), , Personally Identifiable Information (Pii), Email Addresses (100% Of Breaches), Names (90%), Phone Numbers (72%), Passwords (49%), Health Records (34%), Government Records (34%) and .

Incident Response Plan: The company's incident response plan is described as Yes (Restrictions Placed on Systems), Yes (systems temporarily shut down to contain threat), , , Yes (within minutes of detection), .

Third-Party Assistance: The company involves third-party assistance in incident response through cybersecurity firms (e.g., NCC Group), threat intelligence providers, , , digital forensics teams, legal counsel, IT recovery experts (via cyber insurance), .

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: patching zero-day vulnerabilities, enhancing endpoint detection, updating PDF reader software, , Gradual System Restoration, Leadership Review, , Prioritized essential services (e.g., funerals, rural stores), Supported independent co-op societies and franchise partners, , System Restoration (Ongoing), Enhanced Monitoring, , refining member and customer proposition, structural changes to the Food business, disciplined approach to investment to manage cyber impact in H2 2025, .

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by taking multiple systems offline, engaging with the uk’s national cyber security centre (ncsc), , shut down several it systems, isolation of infected systems, disabling compromised accounts, blocking malicious ips, , system restrictions, blocked 4,000 ransomware attempts per minute, , shut down affected it systems, isolated compromised accounts, , partial shutdown of it systems, , temporary shutdown of it systems, prevented further ransomware deployment, , immediate account lockdown, malware blocking, layered cyber defenses and .

Data Recovery from Ransomware: The company recovers data encrypted by ransomware through restoring backups, rebuilding payment systems, customer notification campaigns, , Phased Reboot of IT Systems, Operational Adjustments in Food Business, , Resumed expansion plans (30 new openings in H2 2025), Overhauled leadership, Formed new commercial and logistics division, , Entered recovery phase after 2 weeks, Maintained trading during disruption, , Prioritized essential services (e.g., funerals), Stock prioritization for rural 'lifeline' stores, Support for independent co-op societies and franchise partners, £10 discount for members (on £40 shop), , Prioritization of Critical Services (e.g., Vulnerable Communities), Partnership with *The Hacking Games* to Address Root Causes, , data backups, encryption, secure storage practices, .

Key Lessons Learned: The key lessons learned from past incidents are Ransomware attacks are evolving toward high-value, targeted strikes despite overall decline in volume.,Public disclosure by threat actors (e.g., Scattered Spider) increases pressure on victims and attracts copycats.,Industrial and retail sectors remain prime targets due to operational disruption potential and data value.,Weaponized PDFs and AI-enhanced phishing are emerging as critical attack vectors.,Underreporting obscures the true scale of incidents; geopolitical/economic tensions exacerbate risks.,Blurred lines between work/personal devices (e.g., remote work) create new vulnerabilities.High-profile attacks in retail demonstrate the need for robust payment system segmentation.,Zero-day exploits in PDF readers highlight the importance of patch management and behavioral monitoring.,Public disclosure by threat actors (e.g., Scattered Spider) increases pressure on victims to pay ransoms.,Geopolitical and economic instability correlates with increased cyberattack frequency and sophistication.,AI-driven phishing and weaponized documents are evolving to bypass traditional security controls.Need for Strengthened Cyber Defenses Against Social Engineering,Importance of Rapid Containment to Limit Operational Disruption,Criticality of Member Data Protection,Resilience in Supply Chain and IT SystemsNeed for stronger cybersecurity in food business operations,Importance of mandatory ransomware reporting (advocated by CEO),Resilience in maintaining essential services during crises,Opportunity to reflect and emerge stronger post-incidentHighlighted strengths in financial resilience and colleague response,Identified need for improvements in Food business operations,Recognized cyber threats as a persistent risk requiring long-term mitigation,Emphasized structural changes and member/customer proposition refinementHighlighted strengths in balance sheet resilience and colleague response,Exposed vulnerabilities in food business operations,Need for structural changes and refined member/customer propositionsImportance of layered cyber defenses and rapid response,Need for better insurance coverage against cyber risks,Addressing root causes like 'youth disenfranchisement' as a contributor to cyber threats,Focus on strengthening food business cybersecurityHighlighted strengths but also areas needing focus, particularly in the Food business.,Need for refining member and customer proposition.,Importance of structural changes to the business for long-term success.,Disciplined investment approach to manage cyber impact.Cyber insurance alone is insufficient without incident response capabilities.,SMEs underestimate exposure, especially in supply chains or indirect data handling.,Proactive cyber resilience (prevention, detection, response, recovery) is critical.,Expert-led incident response reduces financial and operational impact.,Regular updates to incident response plans and staff training improve readiness.Small businesses (under 250 employees) are disproportionately targeted despite limited resources to recover. Retail is the highest-risk industry. Basic PII (emails/names) is ubiquitous in breaches, but sensitive data (passwords/health records) poses severe identity theft risks. Continuous monitoring of accounts and breach notification tools (e.g., Have I Been Pwned) are critical for mitigation.

Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Enhance employee training on social engineering tactics, Increase investment in proactive threat detection and response capabilities, Collaborate with initiatives like *The Hacking Games* to mitigate long-term cyber threats and Review and expand cyber insurance policies.

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Britain's Cyber Monitoring Centre (CMC), and Source: BBC Breakfast show, and Source: BleepingComputer, and Source: NCC Group Threat Intelligence, and Source: Cybersecurity experts (e.g., Matt Hull, Mike), and Source: NCC Group Threat Intelligence ReportDate Accessed: 2024-05, and Source: Cybersecurity Ventures - Ransomware Trends 2024Date Accessed: 2024-05, and Source: The Telegraph, and Source: Co-op Group Financial Results (2023), and Source: The Independent, and Source: PA News Agency (interview with CEO Shirine Khoury-Haq), and Source: Co-op Group Half-Year Financial Report (2025), and Source: Public Statements by Co-op Chair (Debbie White) and CEO (Shirine Khoury-Haq), and Source: The Standard, and Source: The Mirror, and Source: Retail Insight Network (GlobalData), and Source: UK Government Survey 2025, and Source: BlueVoyant Cyber Defense Platform, and Source: GDPR RegulationsUrl: https://gdpr-info.eu/, and Source: Proton Data Breach ObservatoryDate Accessed: 2025, and Source: TechRadar ProDate Accessed: 2025, and Source: Have I Been PwnedUrl: https://haveibeenpwned.com.

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Notifying Affected Members, Public Apology By Ceo, Public Disclosure By Threat Actors (E.G., Scattered Spider), Expert Warnings About Underreporting, Limited Public Disclosure By Victims, Press Statements By Cybersecurity Experts, Advisories To Supply Chain Partners, Public Disclosure (July 2023), Ceo Apology, Transparency In Financial Reports, Public Disclosure In July 2025, Offered £10 Discount To Members As Compensation, Media Statements By Ceo And Chairwoman, Public Announcements On Financial Impact, Statements From Chair (Debbie White) And Ceo (Shirine Khoury-Haq), Emphasis On Colleague Resilience And Member Support, Public Disclosure In July 2025, Statements By Chairwoman (Debbie White) And Ceo (Shirine Khoury-Haq), Public Disclosure Of Financial Impact, Media Statements By Executives (E.G., Rob Elsey, Shirine Khoury-Haq), Crisis Communications (Covered By Cyber Insurance) and Public disclosure via Proton Data Breach Observatory; advisory to monitor accounts/bank statements.

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Retailers And Industrial Firms Urged To Heighten Defenses Against Ransomware And Supply Chain Attacks., Regulators Advised To Address Underreporting And Enforce Transparency In Breach Disclosures., Customers Of Affected Retailers (E.G., Co-Op, M&S, Harrods) Advised To Monitor For Identity Theft And Fraud., General Public Warned About Phishing Emails/Pdfs Impersonating Trusted Brands., , Retailers Advised To Audit Payment System Security., Industrial Firms Urged To Isolate Ics From Corporate Networks., Regulators (E.G., Ico, Cisa) Monitoring Compliance With Breach Notifications., Victims (E.G., Co-Op, M&S) Notified Customers Of Potential Pii Exposure., Recommendations To Monitor Financial Accounts For Fraud., , Public Statements By Ceo And Chairman, Financial Disclosures To Investors, Ceo Apology For Data Breach, Assurance No Financial Data Stolen, , Prioritized Support For Independent Co-Op Societies And Franchise Partners, £10 Discount Off A £40 Shop For Members As Compensation, , Financial Impact Disclosed To Investors, Commitment To Long-Term Recovery Communicated To Members And Employees, Assurance Of Continued Service Despite Disruptions, Focus On Supporting Vulnerable Communities During Recovery, , Public Statements By Leadership, Member Compensation (£10 Discount), £10 discount for members on £40 shop as apology, Vigilance advised for all stakeholders; retailers urged to assess third-party risks. and Monitor bank statements/accounts for fraud; use breach notification tools..

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Cybersecurity Firms (E.G., Ncc Group), Threat Intelligence Providers, , For Weaponized Pdfs, Ai-Generated Phishing Attempts, , Yes (continuous investment in layered defenses), , Digital Forensics Teams, Legal Counsel, It Recovery Experts (Via Cyber Insurance), , Threat Intelligence, Network Monitoring, .

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Deploy Behavioral Analysis Tools To Detect Weaponized Pdfs/Malicious Attachments., Conduct Red Team Exercises To Test Resilience Against Ai-Enhanced Phishing., Enforce Multi-Factor Authentication (Mfa) For All Critical Systems., Isolate Payment Systems And Industrial Control Networks From General It Infrastructure., Establish A Cross-Sector Threat Intelligence Sharing Platform For Retail/Industrial Firms., , Mandatory **Mfa For All Critical Systems**., **Isolation Of Payment Environments** From General It Networks., **Continuous Vulnerability Scanning** For Zero-Day Exploits., **Dark Web Monitoring** For Stolen Credentials And Data Leaks., **Red Team Exercises** To Test Defenses Against Ransomware Tactics., , System Restrictions To Limit Attack Spread, Leadership Review (Md Resignation), Focus On Food Business Resilience, , Leadership Overhaul And New Commercial/Logistics Division, Resumed Expansion With 30 New Store Openings In H2 2025, Advocacy For Government-Mandated Cyberattack Reporting, , Refinement Of Member/Customer Proposition, Structural Changes To Business Operations (Especially Food Division), Partnership With The Hacking Games To Address Cyber Threat Roots, Financial Measures To Ensure Stability (E.G., £350M Lending Agreement, £400M Credit Facility), , Structural Business Changes, Refined Member/Customer Propositions, Long-Term Resilience Planning, , Enhanced Monitoring And Layered Defenses, Partnership With *The Hacking Games* To Address Cyber Threat Roots, Focused Improvements In Food Business Cybersecurity, , Refining Member And Customer Proposition., Structural Changes To The Food Business., Disciplined Investment Approach To Reduce Cyber Impact In H2 2025., , Integrate Cyber Insurance With Cyber Resilience Strategies., Enhance Third-Party/Supply Chain Security Assessments., Implement And Test Incident Response Plans., Invest In Expert-Led Forensics And Recovery Services., Regularly Update Security Measures (Mfa, Monitoring, Threat Intelligence)., .

Ransom Payment History: The company has Paid ransoms in the past.

Last Attacking Group: The attacking group in the last incident were an Scattered Spider, AkiraScattered SpiderQilinPlayBabuk2, AkiraScattered SpiderQilinPlayBabuk2, Unknown (Described as 'very persistent and very capable' criminals) and DragonForce (Co-op ransomware).

Most Recent Incident Detected: The most recent incident detected was on 2023-04-22.

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025.

Highest Financial Loss: The highest financial loss from an incident was £300 million (estimated for UK retailers like Coop and M&S).

Most Significant Data Compromised: The most significant data compromised in an incident were names, residential addresses, email addresses, phone numbers, dates of birth, , Contact information of 6.5 million members, , customer data, payment system information, personally identifiable information (PII), , customer payment data, personally identifiable information (PII), corporate intellectual property, Records Exposed: 6.5 million (members' data), Data Types: ['Names', 'Addresses', 'Contact Information'], , Records Exposed: 6.5 million (members' data), Data Types: ['Names', 'Addresses', 'Contact Information'], , Personal data of all 6.5 million members, Personal data of 6.5 million members (file copied by hackers)Personal Data: {'customers_affected': '6.5 million (member customers)', 'type': ['personally identifiable information (PII)']}, , Personal Data: {'customers_affected': '6.5 million (member customers)', 'type': ['personally identifiable information (PII)']}, and 300+ million individual records (800 verified breaches); hundreds of billions including compilations.

Most Significant System Affected: The most significant system affected in an incident was IT systemsWindows domain and payment systemsoperational infrastructuresupply chain networks and payment processing systemsretail POS terminalsindustrial control systems (ICS)supply chain management platforms and IT Systems (Shutdown)Food Delivery SystemsMember Database and IT systems (partially shut down)Payment systemsInventory managementBack-office operations and IT Systems (partial shutdown)Supply Chain Systems and IT systems (partially shut down)Payment systemsInventory management and Operational Systems (Partial Downtime)Sales Systems and IT systems (retailer)payment systemsinventory management systemsfuneral home operations (reverted to paper-based).

Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was cybersecurity firms (e.g., ncc group), threat intelligence providers, , , digital forensics teams, legal counsel, it recovery experts (via cyber insurance), .

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Taking multiple systems offlineEngaging with the UK’s National Cyber Security Centre (NCSC), Shut down several IT systems, isolation of infected systemsdisabling compromised accountsblocking malicious IPs, System RestrictionsBlocked 4,000 Ransomware Attempts per Minute, Shut down affected IT systemsIsolated compromised accounts, Partial shutdown of IT systems, Temporary shutdown of IT systemsPrevented further ransomware deployment and Immediate Account LockdownMalware BlockingLayered Cyber Defenses.

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were customer payment data, names, phone numbers, corporate intellectual property, Personal data of all 6.5 million members, Personal data of 6.5 million members (file copied by hackers), personally identifiable information (PII), email addresses, dates of birth, Contact information of 6.5 million members, 300+ million individual records (800 verified breaches); hundreds of billions including compilations, residential addresses, payment system information and customer data.

Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 32.5M.

Highest Ransom Paid: The highest ransom paid in a ransomware incident was No (attack was contained before ransomware deployment).

Highest Fine Imposed: The highest fine imposed for a regulatory violation was up to €20M or 4% global turnover, .

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Regular updates to incident response plans and staff training improve readiness., Small businesses (under 250 employees) are disproportionately targeted despite limited resources to recover. Retail is the highest-risk industry. Basic PII (emails/names) is ubiquitous in breaches, but sensitive data (passwords/health records) poses severe identity theft risks. Continuous monitoring of accounts and breach notification tools (e.g., Have I Been Pwned) are critical for mitigation.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Accelerated recovery plans for back-office operations, Deploy proactive security measures (MFA, endpoint protection, threat intelligence)., Develop and test incident response plans for ransomware, including communication strategies for public disclosures., Adopt **proactive threat hunting** to detect ransomware groups like Akira and Scattered Spider early., Enhance cyber resilience measures to prevent similar incidents., Develop Redundant IT Infrastructure to Mitigate Downtime, Consumers should use tools like Have I Been Pwned to check exposure and monitor financial accounts., Prioritize patching zero-day vulnerabilities and unpatched systems., Continue refining member and customer propositions., Refine member and customer propositions, Enhance employee training on social engineering tactics, Invest in cyber insurance *and* cyber resilience strategies., Enhance **employee training** on AI-generated phishing and social engineering tactics., Implement **network segmentation** for payment and industrial control systems to limit lateral movement., Partnerships to address root causes of cyber threats (e.g., The Hacking Games initiative for youth disenfranchisement), Mandatory reporting of cyberattacks and ransom payments (CEO's call to UK Government), Deploy **behavioral-based detection** (e.g., adaptive WAFs) to identify weaponized PDFs and zero-day exploits., Collaborate with external experts for rapid investigation and remediation., Long-term strategic adjustments for resilience, Maintain a disciplined investment strategy to mitigate future cyber risks., Review and expand cyber insurance policies, Enhance Staff Training on Impersonation Attacks, Customer retention strategies to rebuild trust, Adopt AI-driven threat detection to counter AI-enhanced attacks., Strengthen security culture with regular training on phishing/social engineering (e.g., weaponized PDFs)., Increase investment in proactive threat detection and response capabilities, Implement incident response planning with tested procedures., Implement network segmentation to limit lateral movement in industrial/retail environments., Proactive communication strategies for breach disclosure to maintain trust., Implement structural changes to the business, Small businesses should prioritize cybersecurity hygiene (e.g., password managers, MFA)., Implement structural changes in the Food business., Vigilant monitoring of privileged accounts, Prioritize supply chain security and third-party risk management., Long-term focus on reducing cyber impact, Monitor dark web for stolen data (e.g., customer PII) and proactively notify affected parties., Establish **supply chain cybersecurity standards** to mitigate third-party risks., Rapid assimilation of threat intelligence, Enforce strict separation of work/personal devices to reduce attack surfaces., Improved segmentation of IT systems to limit lateral movement, Disciplined investment approach to bolster cyber defenses, Retailers must invest in threat detection and dark web monitoring., Implement Multi-Factor Authentication (MFA) for Critical Systems, Robust multi-factor authentication, Collaborate with initiatives like *The Hacking Games* to mitigate long-term cyber threats, Continuous refinement of business structure and member value, Enhanced employee training on social engineering and phishing, Strengthen **customer communication plans** to maintain trust during breaches., Improve Incident Communication Protocols, Develop **incident response playbooks** tailored to ransomware and data exfiltration scenarios., Conduct simulated breach exercises and regular plan reviews., Adopt data management best practices (backups, encryption, secure storage). and Conduct Third-Party Security Audits.

Most Recent Source: The most recent source of information about an incident are Proton Data Breach Observatory, TechRadar Pro, NCC Group Threat Intelligence, BleepingComputer, GDPR Regulations, BBC Breakfast show, NCC Group Threat Intelligence Report, Cybersecurity experts (e.g., Matt Hull, Mike), Retail Insight Network (GlobalData), The Telegraph, Britain's Cyber Monitoring Centre (CMC), Public Statements by Co-op Chair (Debbie White) and CEO (Shirine Khoury-Haq), Cybersecurity Ventures - Ransomware Trends 2024, Have I Been Pwned, The Standard, The Independent, PA News Agency (interview with CEO Shirine Khoury-Haq), UK Government Survey 2025, The Mirror, BlueVoyant Cyber Defense Platform, Co-op Group Half-Year Financial Report (2025) and Co-op Group Financial Results (2023).

Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://gdpr-info.eu/, https://haveibeenpwned.com .

Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing.

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Retailers and industrial firms urged to heighten defenses against ransomware and supply chain attacks., Regulators advised to address underreporting and enforce transparency in breach disclosures., Retailers advised to audit payment system security., Industrial firms urged to isolate ICS from corporate networks., Regulators (e.g., ICO, CISA) monitoring compliance with breach notifications., Public Statements by CEO and Chairman, Financial Disclosures to Investors, Prioritized support for independent co-op societies and franchise partners, Financial impact disclosed to investors, Commitment to long-term recovery communicated to members and employees, Public statements by leadership, Member compensation (£10 discount), Vigilance advised for all stakeholders; retailers urged to assess third-party risks., .

Most Recent Customer Advisory: The most recent customer advisory issued were an Customers of affected retailers (e.g., Co-op, M&S, Harrods) advised to monitor for identity theft and fraud.General public warned about phishing emails/PDFs impersonating trusted brands., Victims (e.g., Co-op, M&S) notified customers of potential PII exposure.Recommendations to monitor financial accounts for fraud., CEO Apology for Data BreachAssurance No Financial Data Stolen, £10 discount off a £40 shop for members as compensation, Assurance of continued service despite disruptionsFocus on supporting vulnerable communities during recovery, £10 discount for members on £40 shop as apology and Monitor bank statements/accounts for fraud; use breach notification tools.

Most Recent Entry Point: The most recent entry point used by an initial access broker were an Staff Impersonation, Social Engineering (Impersonation of Employee), Social engineering and password reset and Social engineering (impersonation of workers to trick employees).

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Weak password policiesSocial engineering vulnerabilities, Exploitation of zero-day vulnerabilities in PDF software.Successful phishing/social engineering due to convincing AI-generated content.Inadequate patch management and unpatched systems.Lack of network segmentation in retail/industrial environments.Blurred work-personal device boundaries enabling lateral movement., Lack of segmentation between payment and corporate systems.Delayed patching of zero-day vulnerabilities in PDF software.Insufficient monitoring for AI-driven phishing campaigns.Over-reliance on perimeter security without behavioral detection., Successful Staff Impersonation by AttackersInadequate Safeguards Against Social EngineeringRapid Propagation of Malware Within Systems, Successful phishing/social engineering attackInadequate employee training on impersonation tacticsLack of system segmentation to contain breach, Sophisticated attack (specifics undisclosed)IT system vulnerabilities enabling data exfiltration, Social Engineering Vulnerability (Employee Impersonation)Sophisticated, Persistent, and Multi-Staged AttackYouth disenfranchisement (claimed as a broader root cause by Co-op CEO), Underestimation of risk (especially SMEs in supply chains).Lack of cyber insurance coverage (e.g., Co-op for ransomware).Inadequate incident response capabilities.Third-party vulnerabilities (e.g., access control in Marks & Spencer)., Targeting of under-resourced small businessesHigh-value PII collection by retailersLack of proportional cybersecurity investments in SMEs.

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Deploy behavioral analysis tools to detect weaponized PDFs/malicious attachments.Conduct red team exercises to test resilience against AI-enhanced phishing.Enforce multi-factor authentication (MFA) for all critical systems.Isolate payment systems and industrial control networks from general IT infrastructure.Establish a cross-sector threat intelligence sharing platform for retail/industrial firms., Mandatory **MFA for all critical systems**.**Isolation of payment environments** from general IT networks.**Continuous vulnerability scanning** for zero-day exploits.**Dark web monitoring** for stolen credentials and data leaks.**Red team exercises** to test defenses against ransomware tactics., System Restrictions to Limit Attack SpreadLeadership Review (MD Resignation)Focus on Food Business Resilience, Leadership overhaul and new commercial/logistics divisionResumed expansion with 30 new store openings in H2 2025Advocacy for government-mandated cyberattack reporting, Refinement of member/customer propositionStructural changes to business operations (especially Food division)Partnership with The Hacking Games to address cyber threat rootsFinancial measures to ensure stability (e.g., £350m lending agreement, £400m credit facility), Structural business changesRefined member/customer propositionsLong-term resilience planning, Enhanced monitoring and layered defensesPartnership with *The Hacking Games* to address cyber threat rootsFocused improvements in food business cybersecurity, Refining member and customer proposition.Structural changes to the Food business.Disciplined investment approach to reduce cyber impact in H2 2025., Integrate cyber insurance with cyber resilience strategies.Enhance third-party/supply chain security assessments.Implement and test incident response plans.Invest in expert-led forensics and recovery services.Regularly update security measures (MFA, monitoring, threat intelligence)..