Following a breach in April, the boss of the retail and insurance firm has praised the response of her specialist colleagues, but urged other executives to engage in cyber issues
Six months on from a major and destructive cyberattack, the chief executive of the Co-op has warned other senior managers that “the buck stops with us”.
In April, the company suffered a breach in which data related to all 6.5 million members was accessed by attackers. The incident also caused problems with taking payments and managing stock at the retailer’s stores, as well as necessitating the use of manual processes in some of its other businesses, which include funeral care, insurance, and legal advice.
In the introduction to the newly published annual report from the National Cyber Security Centre, the Co-op’s CEO Shirine Khoury-Haq writes an open letter addressed to “business leaders and decision makers”. The missive was penned “in the hope that, by sharing some of our experiences and learnings, you can all feel better equipped in dealing with what is a mounting issue for us all”.
Khoury-Haq advises fellow senior executives that “while you can plan meticulously, invest in the right tools and run countless exercises, nothing truly prepares you for the moment a real cyber event unfolds”.
“The intensity, urgency and unpredictability of a live attack is unlike anything you can rehearse,” she says. “That said, those drills are invaluable; they build muscle memory, sharpen instincts, and expose vulnerabilities in your systems.”
The Co-op boss says: “While the security of your systems will no doubt remain on your radar, please continue to account for the fact that the timing and nature of a cyberattack like this is unpredictable. New challenges will always emerge and threats to corporate infrastructures will never stop.”
The letter repeatedly praises the work of the company’s cyber and tech experts in supporting response to the attack, which it claims had notable success in “mitigating the impact of the primary attack, blocking further attempts and maintaining our ability to still serve our members and customers in our frontline business areas”.
Related content
- NCSC pins ‘malicious campaign’ of cyberattacks on Russian military intelligence
- Cybercrime: One in every 100 CMA offences were charged in FY25
- DSIT tests ability of AI models to coordinate cyberattacks
In addition to the gratitude she expresses for this work, Khoury-Haq adds that she is “even closer now to how we defend against cyber threats, and I am routinely engaging with NCSC guidance.
The letter concludes: “The buck stops with us as senior leaders. Please continue to consider the best route to protecting your business, but also the best means to defend against an attack, including supporting customers and colleagues, at every possible stage.”
In his foreword to the annual report – which comes in light of high-profile attacks on the Co-op, Harrods, Marks and Spencer, and Jaguar Land Rover – NCSC chief executive Richard Horne also focuses on the risks posed to major companies by cyberattacks, warning that “any leader who fails to prepare for that scenario is jeopardising their business’s future”.
“The recent cyberattacks must act as a wake-up call,” Horne says. “The new normal is that cyber criminals will target organisations of all sizes, operating in any sector. From local coffee shops to providers of critical national infrastructure, every organisation must understand their exposure, build their defences and have a plan for how they would continue to operate without their IT (and rebuild that IT at pace) were an attack to get through.”
He adds: “For too long, cybersecurity has been regarded as an issue predominantly for technical staff. This must change. All business leaders need to take responsibility for their organisation’s cyber resilience.”
Alongside the publication of the review, the NCSC has also this week unveiled the launch of a new Cyber Action Toolkit developed for small business, and intended to provide tailored advice and suggested actions to help improve cyber resilience.
