Co-op narrowly averted being locked out of its computer systems during the cyber attack that saw customer data stolen and store shelves left bare, the hackers who claim responsibility have told the BBC.
The revelation could help explain why Co-op has started to recover more quickly than fellow retailer M&S, which had its systems more comprehensively compromised, and is still unable to carry out online orders.
Hackers who have claimed responsibility for both attacks told the BBC they tried to infect Co-op with malicious software known as ransomware – but failed when the firm discovered the attack in action.
Both Co-op and M&S declined to comment.
The gang, using the cyber crime service DragonForce, sent the BBC a long, offensive rant about their attack.
“Co-op’s network never ever suffered ransomware. They yanked their own plug – tanking sales, burning logistics, and torching shareholder value,” the criminals said.
But cyber experts like Jen Ellis from the Ransomware Task Force said the response from Co-op was sensible.
“Co-op seems to have opted for self-imposed immediate-term disruption as a means of avoiding criminal-imposed, longer-term disruption. It seems to have been a good call for them in this instance,” she said.
Ms Ellis said these kinds of crisis decisions are often taken quickly when hackers have breached a network and can be extremely difficult.
Speaking exclusively to the BBC, the criminals claimed to have breached Co-op’s computer systems long before they were discovered.
“We spent a while seated in their network,” they boasted.
They stole a large amount of private customer data and were planning to infect the company with ransomware, but were detected.
Ransomware is a kind of attack where hackers scramble computer systems and demand payment from victims in exchange for handing back control.
It would also have made the restoration of Co-op’s systems more complex, time-consuming and expensive – exactly the problems M&S appears to be wrestling with.
The criminals claim they were also behind the attack on M&S which struck over Easter.
Although M&S has yet to confirm it is dealing with ransomware, cyber experts have long said that is the situation and M&S has not issued any advice or corrections to the contrary.
Nearly three weeks on, the retailer is still struggling to get back to normal, as online orders are still suspended and some shops have had continued issues with contactless payments and empty shelves this week.
An analysis from Bank of America estimates the fallout from the hack is costing M&S £43m per week.
On Tuesday, M&S admitted personal customer data was stolen in the hack, which could include telephone numbers, home addresses and dates of birth.
It added the data theft did not include useable payment or card details, or any account passwords – but nonetheless urged customers to reset their account details and be wary of potential scammers using the information to make contact.
Co-op seems to be recovering more quickly, saying its shelves will start to return to normal from this weekend.
Nonetheless it is expected to feel the effects of the cyber attack for some time.
“Co-op have acted quickly and their work on the recovery helps to soften things slightly, but rebuilding trust is a bit harder,” Prof Oli Buckley, a cyber security expert at Loughborough University, told the BBC.
“It will be a process of showing that lessons have been learned and there are stronger defences in place,” he added.
The same cyber-crime group has also claimed responsibility for an attempted hack of the London department store Harrods.
The hackers who contacted the BBC say they are from DragonForce which operates an affiliate cyber crime service so anyone can use their malicious software and website to carry out attacks and extortions.
It’s not known who is ultimately using the service to attack the retailers, but some security experts say the tactics seen are similar to that of a loosely coordinated group of hackers who have been called Scattered Spider or Octo Tempest.
The gang operates on Telegram and Discord channels and is English-speaking and young – in some cases only teenagers.
Conversations with Co-op hackers were carried out in text form – but it is clear the hacker, who called himself a spokesperson, was a fluent English speaker.
They say two of the hackers want to be known as “Raymond Reddington” and “Dembe Zuma” after characters from US crime thriller Blacklist which involves a wanted criminal helping police take down other criminals on a ‘blacklist’.
The hackers say “we’re putting UK retailers on the Blacklist”.
