If a cyber incident took key systems offline tomorrow, what would actually happen next?
- What stops first?
- What do your customers notice?
- And how quickly can your team make clear decisions under pressure?
If incidents are not handled well, the impact quickly spreads into operations, revenue and leadership.
At Co-op, a cyber incident in 2025 did exactly that. It disrupted stores, affected customers and led to significant lost sales. In 2026, the CEO stepped down after months of disruption, commercial impact and internal pressure following the incident.
That is the part most organisations do not think about. The real impact is not the breach itself. It is what happens after, how far it spreads, and how long it takes to recover. The Co-op example shows how that plays out in practice.
What Happened at Co-op: A Simple Timeline
- Late April 2025: Initial Compromise and Access Attempts
Attackers likely gained access days before the incident became public, with activity reported between 22 and 27 April.
- 30 April: Incident Confirmed and Containment Begins
Co-op shut down parts of its IT systems to contain the threat. This included stock management systems, which directly affected store operations.
- Immediate Impact: Operational Disruption
Stores experienced gaps on shelves, and some payment and logistics processes were affected. What started as a security issue quickly became visible to customers.
- Early May: Internal Restrictions and Uncertainty
Staff were advised to avoid certain systems such as VPN access and to be cautious with communications, reflecting uncertainty about how far the attackers had penetrated.
- 2 May: Data Breach Becomes Public
Following contact between attackers and the media, Co-op confirmed that member data had been accessed, shifting the incident into a customer trust issue.
- May Onwards: Ongoing Disruption and Recovery
Stock shortages continued while systems were restored. Customer communications were issued, and operations gradually stabilised rather than returning to normal immediately.
- Following Months: Commercial Impact Becomes Clear
The organisation reported around £285m in lost sales linked to the incident and response, alongside a wider annual loss.
- 2026: Leadership Change Amid Wider Pressure
The chief executive stepped down after a turbulent period that included both the cyber incident and reported concerns about internal culture.
What Actually Drove the Cost
The breach itself was only the starting point. The cost built in layers.
Operational Disruption
Taking systems offline was necessary, but it directly affected stock, stores, and supply chains. That is where revenue impact began.
Prolonged Recovery
Recovery was not immediate. Restoring systems and supply chains took time, and during that period normal trading was affected.
Loss of Momentum
Focus shifted to response and recovery. Other priorities slowed, which compounded the commercial impact.
This is how an incident reaches hundreds of millions in cost. Not through a single failure, but through how long the disruption lasts and how widely it spreads.
Where Culture Intersects with Response
Alongside the incident, there were reports from some senior staff describing a culture where people felt unable to challenge decisions or raise concerns.
It is important to treat this carefully, but it is relevant.
During an incident, response depends on how quickly information moves and how confidently people act. If concerns take longer to surface or decisions are harder to challenge, response can slow down at the point where speed matters most.
That does not cause an incident, but it can influence how it unfolds.
What This Means for You
There is nothing unusual about this sequence.
A cyber incident led to:
- systems being taken offline
- visible disruption to customers
- a measurable drop in sales
- pressure on leadership
The more practical question is how this would play out in your environment.
- If key systems were taken offline, what would continue and what would stop?
- How long would it take to restore normal operations, not just partial service?
- Where would decisions slow down during an incident?
These are the factors that shape the real cost.
A More Grounded View of Breach Impact
The Co-op example shows that the cost of a breach is not a single moment. It is a sequence that moves from technical issue to operational disruption, then into commercial and leadership impact.
For a security leader, that shifts the focus slightly.
It is not just about stopping incidents. It is about understanding how the organisation will operate when one happens, and how quickly it can recover.
Where to Go Next
If you are looking at your own environment and asking similar questions, it can help to work through them with someone who has seen how these situations play out in practice.
Speaking to experienced practitioners can give you a clearer view of where disruption is most likely to occur, how response decisions hold up under pressure, and what realistic recovery looks like for your organisation.
