Last month’s cyber attack on the Co-op Group, which caused supply disruptions across the UK consumer-owned retail sector, is the latest reminder of the threat of online crime to businesses.
With co-ops around the world active in vital sectors like food production and supply, banking and insurance, energy, healthcare and housing, they find themselves on the frontline as criminals and terrorists target the vulnerable spots of 21st century civilisation.
As press reports about the hackers targeting the Group suggest, perpretrators are often tech-savvy teenagers, with links to wider online crime networks. Other hackers have the backing of foreign states such as China and Russia, as the emerging new Cold War takes on an online dimension, and vital infrastructure becomes as much a target as valuable member data.
The Co-op Group – hacked at the same time as M&S and Harrods – is not the first co-op retailer to fall victim to online gangs: Canada’s Federated Co-ops was hit last summer and Coop Sweden was attacked over Christmas 2023. Nor is the attack on the Group only impacting food: systems at Co-op Legal Services have been taken offline, leaving clients unable to access details on services such as probate.
Related: Sector leaders look at cybercrime and crisis communications
Other co-op sectors are also falling victim: in 2021, US farm group New Cooperative was hit by a ransomware attack, potentially endangering operations of a company key to the agricultural supply chain. The following spring, the FBI warned farm co-ops of a heightened cyber threat in planting and harvest seasons.
Finance co-ops are an obvious target: in 2019, Canadian credit union giant Desjardins suffered a data breach which affected 4.2 million members and 137,000 business clients, and in 2021 agreed a CA$201m settlement in a class action brought against it.
And in December 2023, around 60 US credit unions reported outages after a ransomware attack against a third-party IT provider serving the sector. Third parties are a vulnerable spot in cyber defences: last year, an analysis by KPMG found that nearly half of the cyber breaches in the US energy sector come from third-party platforms. Electric co-op apex NRECA said its members has suffered impacts from this.
Retail
So how should co-ops respond? On one level, they can amend their operations to make themselves less vulnerable when systems go down. The attack on the Group is a reminder of the weakness of the just-in-time distribution model – already exposed by disruption to supply chains from Brexit and the Covid-19 pandemic.
While just-in-time has proved a boon in terms of profitability and consumer choice, Tim Lang, professor of food policy at City University, told the Grocer during lockdown in 2020: “It’s not right for resilience. It needs to be rethought.”
An obvious response – a more diverse supply chain – was hastily put into action after the cyber attack, as retail societies missing out on vital deliveries through the Co-op Group enlisted the help of their local suppliers to keep the shelves filled.
Equally important is locking the stable in the first place, to stop the horse from bolting. The advice from experts is familiar: deploy firewalls, intrusion detection systems, and data encryption; carry out regular vulnerability assessments; create incident response plans; and review old legacy systems.
Happily for co-ops, increased security also calls for collaboration and information-sharing – intrinsic to the movement’s values – with ongoing IT training, scam alerts and other important tech updates.
Finance
The issue is a critical one for the finance sector, and was discussed by Debbie Crosbie, CEO of the Nationwide Building Society at the recent Building Societies Association conference.
“We do have to think about change and how we respond to external threats,” she said. “Nobody is insulated from the issues that are happening externally, geopolitics, the US tariffs, cyber crime.
“We cannot take for granted that building societies will just continue to exist if we don’t change and evolve. We have to think so carefully about resilience, cyber security. You all know the impacts of the power outage in Spain and Portugal, or what’s happened to some of the biggest high street retailers recently.
Related: Unimed medical co-op responds to data leak reports
“If very large, powerful organisations face these threats, you do have to think very carefully, as a smaller credit union or building society, about how well insulated you are set up to defend against those threats.”
For smaller entities, that could mean merging, she warned. “Many smaller mutuals will have a huge amount of challenge facing into the increasing cost of capital, the regulatory burdens, the need to continue to invest in it resilience.
“Now, while consolidation may not be the only answer, I would suggest that a number of you do have to think about the ways you can come together to provide more strength for the sector.“
She added: “The change might be as simple as finding different ways to collaborate. Maybe it’s about consolidation of back offices, maybe it’s about sharing services. Maybe it’s about finding ways to deal with suppliers in a much more cost effective way. But I would say to you all that, without facing into these challenges and thinking of new and different ways to innovate, we run the risk of being left behind.”
The regulatory requirements on credit unions to meet the cyber threat are heavy. In the US, the National Credit Union Administration says: “Compliance alone isn’t enough – credit unions must cultivate awareness at every level of the organisation to keep up with cybercriminals’ constantly shifting tactics. This requires ongoing education, best practices, and a commitment to embedding security into daily operations.
“Building this mindset takes more than regular training sessions. Cybersecurity must be a shared responsibility, where every employee plays a role in identifying and mitigating risks. By making security a priority, credit unions can meet regulatory expectations while protecting members’ data and financial assets.”
That means robust procedures with third parties, the regulator adds. “Securing digital systems and third-party services becomes essential when managing credit risk or liquidity concerns. A strong cybersecurity strategy safeguards member data and supports financial stability by preventing costly breaches, fraud, and reputational damage.
Information security is also key. “Credit unions must implement and continually refine information security programmes that preserve financial assets and sensitive member data. This includes comprehensive risk assessments, establishing and testing security controls, and developing an incident response plan to address potential cyber threats.
“Credit unions must embed cybersecurity as a core aspect of their organisational culture, ensuring that boards and leadership provide oversight and governance.”
Risk assessments must be carried out on all third-party vendors, the NCUA adds, and any incident should be reported immediately.
Desjardins, its own brush with cybercrime fresh in the memory, issues its own advice: test IT systems using a diganostic tool; train staff on password safety and advoiding dangerous links and stay informed on the latest updates on cybersecurity.
This “requires ongoing efforts and investment”, warns Desjardins, which offers financing solutions and insurance products to help.
“To make cybersecurity a priority in your business,” it adds, “you need to budget for it. Investing in a cyber insurance policy and a cybersecurity strategy will allow you to react properly in the event of an attack. And setting aside funds to keep your security tools and employee training programs up to date will help you prevent incidents in the first place.”
Energy
NRECA, the apex for The USA’s rural electric co-ops, has been working closely with the government on cybersecurity – and next month, hosts a three-day Co-op Cyber Tech conference, offering “opportunities for peer-to-peer and industry-to-peer collaboration, skills development, and advancement”.
In April, the apex hosted a podcast where its director of cybersecurity Carter Manucy again stressed the risk of a third party breach. “Maybe it’s a cloud storage provider, email, maybe it’s customer service, billing platform. It may be somebody that’s monitoring endpoints for you through like a managed service provider. It could be somebody that’s doing firewall help for you or security operations centres.”
He added: “We’re not pointing fingers. We’re identifying a key area where a trusted security has to be balanced.”
The consequences can be serious, warned Mauncy, recalling a 2020 breach at Solar Winds, a trusted IT infrastructure management vendor whose software is used globally to monitor and manage networks. Hackers used it to upload malware to thousands of customers, including NRECA alongside government agencies, large enterprises and utilities – who would have suspected nothing, because it was an authorised patch.
To fend off this threat, NRECA is working with third party vendors to beef up their security, said Manucuy.
Tanner Greer, senior vice president and chief technology officer at Blue Ridge Energy in North Carolina, told the podcast about a cyber attack on his co-op in 2023. Blue Ridge was notified by a vendor of breach – and soon after, was contacted by a cybersecurity vendor and informed that its data had been found on the dark web. “At that point we had to really take things into our own hands. We knew, some amount of our data was out there, we didn’t know how much.”
To investigate, the co-op had to play carefully. “We didn’t want to access things on the dark web from company assets …. So we pulled some old machines out that would previously have been retired, and we got an LTE modem that wasn’t connected to anything else inside, and we went to the location that the vendor had sent us in the email.
“There we found a data dump from this breach, so we downloaded that.”
This was a time-consuming process, but the analysis found data for employees and some of the members. “We would just constantly go back and report that,” Greer told the podcast, “and as we found a little bit more, we would report a little bit more, until we felt like we had a good handle on all the records that were out there.”
After that came the tough job of warning those whose data was breached. “We’re going to tell them as much as we could, as fast as we could.”
The next step was to claim on cyber insurance – with the provider offering legal counsel – and to work with the vendor where the breach took place.
Being part of the co-op movement helps, he added. “Sharing data between co-ops, it’s such a big thing, and I think we can inspire each other to better things.”
