A retrospective on April's cyber breach and what recent revelations mean for businesses
In April 2025, the UK’s Co‑operative Group (Co‑op)—a network of over 2,300 supermarkets and services—fell victim to a targeted ransomware attack. Recent updates have shed light on the severity of the breach, including the compromise of all 6.5 million member records, and several arrests linked to the incident. This article breaks down the latest information and explores the tactics used by the attackers—crucial knowledge for any organization guarding against similar threats.
What we know so far
Mass data breach confirmed
- 6.5 million members affected: Co‑op CEO Shirine Khoury‑Haq confirmed that every single member’s personal data—names, addresses, and contact information—were stolen in the attack. The company emphasized that no financial or transaction data was compromised.
- Although detection systems flagged anomalous activity within hours, Co‑op lacked cyber-insurance, which limits its ability to recover financial losses.
Arrests and attributing responsibility
- Four individuals arrested: In early July, the UK’s National Crime Agency (NCA) detained four suspects—three aged 19, one 17, and one 20—connected with the cyberattacks targeting Co‑op, as well as M&S and Harrods.
- These arrests stem from organized crime charges, including blackmail, money laundering, and violations of the Computer Misuse Act.
- Authorities suspect involvement of Scattered Spider and its affiliate DragonForce, known for sophisticated ransomware tactics.
Operational fallout and recovery efforts
- Inventory disruptions: Supermarket shelves emptied in remote areas as Co‑op disconnected key systems to contain the threat.
- Some funeral services affected, relying on paper systems following IT shutdowns.
- Logistics systems were disabled to halt potential further penetration by hackers.
Attack tactics revealed
- Attackers used social engineering—impersonating staff to trick help desks into resetting passwords and bypassing MFA.
- The breach reflected advanced access techniques, such as exploiting VPNs/RDP and lateral movement across segmented networks.
⚠️ Key takeaways for businesses
1. Validate third-party and supply chain access
Ensure partners have robust security and crisis protocols.
2. Double down on secure authentication
Implement MFA, enforce strict help-desk SOPs, and limit admin-level access.
3. Execute real-world attack simulations
Run Threat-Led Penetration Testing (TLPT) regularly to uncover hidden vulnerabilities.
4. Operate proactive detection and response
A 24/7 SOC with real-time threat intelligence can detect anomalies before they escalate.
5. Prepare for disruptions with incident readiness
Develop and test disaster recovery plans, including digital resilience exercises.
🔐 How Apolo Cybersecurity can help
At Apolo Cybersecurity, we specialize in safeguarding retail and distributed enterprises by offering:
- 24/7 SOC + threat intelligence
- Realistic TLPT simulations based on Scattered Spider tactics
- Zero Trust architecture and privileged access controls
- Help-desk and MFA hardening, with phishing-resistant configurations
- Incident response planning and tabletop exercises
%402x.svg){kind=icon}