Co-op Reveals £80m Profit Hit: What are the Lessons for UK Retail? 

Co-op Ransomware Attack: Counting the Cost

I confess I like the Co-op. I like its history, its produce and its ethical approach to procuring food and services; as a result, I’ve been following with particular interest the recent cyber attack that left shelves empty, shoppers frustrated and suppliers acting on good faith. The Co-op ransomware incident came amid a flurry of attacks that affected UK retail in Spring 2025, with M&S being another victim of the same gang at the same time. 

Immediate Disruption from the Co-op Ransomware Attack

Whilst the rebuilding and hardening of internal environments are (likely) still ongoing - from experience, these efforts could go on for many more months - the co-op and M&S have returned to normal business operations. Today, however, the full cost impact of the incident to date has become known.

Financial Impact: £206 Million in Lost Revenue

The ransomware incident has so far cost the Co-op at least £206 million in lost revenue in the first half of 2025, the group revealed yesterday. The full cost could be much higher, with the group expecting further impact to its business in the second half of the year.

While demand for food and the Co-op’s other services remained stable, the financial hit was the result of an inability of the organisation to provide goods. It is not clear whether the Co-op will be able to claim against any cyber security insurance policies. Regardless of whether an insurance policy is held, it is unlikely that all losses will be recoverable from an insurance provider: M&S’s losses ran to £300 million, but its insurance policy was reported to have paid out just £100 million. 

Ripple Effects on Communities and Suppliers

A further unexplored impact could be on any of the 36,000 community projects supported by the organisation, covering anything from “community fridges” to “care for the elderly”, which are funded by the organisation’s profits. 

Wider UK Retail and Government Response to Cyber Attacks

The announcement comes at a time when the UK government is being called on to support Jaguar Land Rover’s (JLR) supply chain, with potentially wide-reaching ramifications. The prospect of Covid-era furlough schemes has recently been ruled out, but the Government could instead choose to directly buying goods from organisations that have suffered from a sudden lack of demand following the JLR attack. 

Lessons from the Co-op and M&S Ransomware Incidents

Whilst much is still unclear, what is known is that successful attacks can be absolutely devastating with ripples that spread out in unforeseen ways impacting both first party victims such as Co-op, M&S, and JLR, but also third parties and victims. 

Should Government Step In? 

Critics could argue that any government intervention would amount to the underwriting of cyber security risk for a privately owned organisation, a topic that will be explored in more detail over time, but there are obvious comparisons to the 2008 financial crisis, and the banks that were “too big to fail”. An added lens could also be that Co-op and its community efforts could be just as worthy or receiving government support whether they would receive it is a different matter altogether.