Turns out 6.5 million Co-op members had their personal data nicked. Time for some socially-pleasing stable door shutting...

As part of our ongoing review of the impact of what happened to Marks & Spencer (M&S) during its recent devastating cyber-attack, we noted that even once the systems affected are finally back up and running next month (it hopes), there will remain a challenge of re-building consumer confidence. As company Chairman Archie Norman pointed out, being a high-profile victim of a cyber-attack makes you all the more likely to attract attention for a repeat assault by others.

Even as the authorities take action against four individuals for the attack on M&S and a less high-profile one on The Co-op Group, that challenge remains. For its part, Co-op has made its first public move to ‘make amends’ with its customers. But is it a strong move that will improve protection in the future or a ‘shutting the stable door’ PR gesture?

The scale of the Co-op incursion has been revealed by CEO Shirine Khoury-Haq as impacting on every member - Co-op offers a membership scheme where people pay to own a share of the business as a co-operative. Basically if Co-op had your personal details on file, then the hackers got them - and that means 6.5 million people in this case.

The organization responded as quickly to the assault as it could, insists Khoury-Haq:

We realised it was happening when the cyber criminals started moving around within our systems and that is when we took action to stop them. Unfortunately by the time we had done that, they had made a copy of one of our files, but we did block them from doing anything else. It meant shutting down our systems quite dramatically.

She adds:

There was no financial data, no transaction data, but it was names and addresses and contact information that was lost.

But she admits:

We know that a lot of that information is out there anyway but people will be worried and all members should be concerned. As soon as we knew what had been taken, we informed our members. We also advised them on what they needed to do to protect their information as well. But I am devastated by that, I am devastated that the information was taken.

Stable doors 

So back to what happens next? Unlike M&S, Co-op managed to continue to operate as normal despite the attack, meaning that customers externally saw no difference, with the main pressure being placed internally. As Khoury-Haq notes:

The good news was that we managed to keep our frontlines open - our stores and funeral homes stayed open but the impact on colleagues, the impact on our stores, our members, was significant…Early on, I met with our IT staff and they were in the midst of it. I will never forget the looks on their faces, trying to fight off these criminals.’

As to the ‘stable door’ gesture, step forward a partnership with social impact business, The Hacking Game, aimed at preventing cyber-crime by identifying young cyber talent and channelling skills into positive, ethical careers. As per the official blah blah:

The initiative is part of Co-op’s long-term response to its own cyber-attack where the growing threat of cybercrime became a reality. This new partnership will combine Co-op's reach into every post code area of the UK, community expertise, 38 Co-op Academy schools and their 6.5 million member base with The Hacking Games’ extensive knowledge and expertise in cyber-crime…

…Co-op wants to help prevent cybercrime before it starts by supporting young people to put their skills to good use. Co-op members have consistently highlighted the importance of creating opportunities for young people. This partnership reflects Co-op’s values-led approach to tackling the root causes of harm. By opening doors and widening access, it aims to reduce risk and offer real alternatives to those who might otherwise be led down the wrong path.

There’s also to be an independent research study led by Professor Lusthaus of University of Oxford, the findings of which will inform future prevention strategies, including a planned pilot within Co-op Academies Trust, which supports 20,000 students across 38 schools. According to Co-op, the ambition is to co-develop a longer-term programme, with potential to expand to the wider UK education system, that supports earlier engagement, targeted student and parent training, and inspires future pathways into ethical cyber careers.

It’s certainly a move that maps nicely onto the public perception of Co-op operational values. Khoury-Haq says:

We know first-hand what it feels like to be targeted by cyber-crime - the disruption it causes, the pressure it puts on colleagues, and the impact it has on the people and communities we serve. We can’t just stand back and hope it doesn’t happen again – to us or to others. Our members expect us to find a co-operative means of tackling the cause, not just the symptom. Our partnership with The Hacking Games lets us reach talented young people early, guide their skills toward protection rather than harm, and open real paths into ethical work. When we expand opportunity we reduce risk, while having a positive impact on society.

For his part, Fergus Hay, co-founder of The Hacking Games, states:

There is an incredible amount of cyber talent out there – but many young people don’t see a path into the industry, or simply don’t realise their skills can be used for good. This partnership with Co-op will help unlock that potential. It’s about giving people the opportunity to do something positive, showing that their talents are valued and creating a generation of ethical hackers to make the world safer.

My take

Look, it’s all to the good at the end of the day and certainly has noble and worthwhile ambitions. So, fair play for a gesture that looks exactly like the sort of ethically-centered thing that we expect from Co-op. 

But the horse already bolted.