Retail, insurance, legal and funeral care cooperative Co-op has confirmed it has shut off an unspecified number of back-office and communications systems to rebuff a series of ongoing attempts to hack into its IT systems.
In the wake of the still-developing incident affecting Marks and Spencer (M&S), which has been identified – although not confirmed – as the work of cyber crime collective Scattered Spider, Co-op now becomes the second UK retailer to face down a cyber attack in the space of a fortnight.
At this stage, no link between the two attacks has been established, and nor should one be implied.
A Co-op spokesperson told Computer Weekly: “We have recently experienced attempts to gain unauthorised access to some of our systems. As a result, we have taken proactive steps to keep our systems safe, which has resulted in a small impact to some of our back-office and call centre services.
“All our stores – including quick commerce operations – and funeral homes are trading as usual. We are working hard to reduce any disruption to our services and would like to thank our colleagues, members, partners and suppliers for their understanding during this period.
“We are not asking our members or customers to do anything differently at this point. We will continue to provide updates as necessary,” they said.
A good first step
Shutting off potentially affected systems can be a critical early step in incident management because by isolating compromised systems, attackers will find it significantly harder to move laterally through the target network in search of more critical infrastructure where they can cause more damage, such as data theft or encryption.
We have experienced attempts to gain unauthorised access to some of our systems. As a result, we have taken proactive steps to keep our systems safe Co-op spokesperson
It also gives the victim’s security teams and third-party responders – if involved – some wiggle room to analyse the impact, identify the cause of the incident, and start work on fixes without risking the attack spreading further.
Indeed, Co-op’s decision to pre-emptively disable access to affected systems has already won it praise from the cyber community.
“[This] swift action … reflects a mature, proactive incident response posture,” said Dray Agha, senior manager of security operations at Huntress. “Shutting down virtual desktops and limiting back-end functions, while disruptive, is often a necessary measure to contain threats before they escalate.”
Agha observed that the incident at Co-op, about which little else is currently known, aligned with a broader trend where attackers increasingly target retailers with initial access attempts before escalating to data theft or ransomware. This pattern appears to be at play in the M&S incident as well.
With two supermarkets now facing substantial disruption from cyber incidents, other exposed organisations, especially retailers, should be taking steps to plan and prepare for incidents, said Nick Dyer, cyber security expert at Arctic Wolf.
“Other retailers need to take stock and learn from both this and the M&S incident to apply them to their own cyber security incident response plans. Even as retailers like Co-op quickly recover from these kinds of attacks, cyber criminals are known to switch tactics, turning to data exfiltration and double extortion to increase leverage,” he said.
“What’s more, retail continues to face some of the highest initial ransomware demands out of any other industry. Preparing for these scenarios can allow retailers to better respond if they are targeted in the future, and mitigate the impact on their wider business.”
