2. June 2026

Leadership Responsibility, Cyber Security Resilience and the Stress

As a former CEO & CFO accountable for organisations operating in highly regulated environments, employing 1,000’s of people and holding 10,000’s of customers’ data, I wanted to share the open letter published by the recently departed CEO of the Co-op. 

I can guarantee that it understates the stress and angst this cyber-attack caused. Individuals are under tremendous pressure in these situations as personal livelihoods are at risk. It’s hard to keep a clear head at such a time. Managing priorities is essential. Having rehearsed procedures vital. We all think (or hope) that it can never happen to us; but unfortunately, it can.

This is a fast-changing landscape as technologies evolve at pace and business foundations can struggle to keep up. Supporting your people, having an appropriate skill set, resilient business foundations, tested business recovery plans and appropriate culture are critical. 

The letter:

An open letter from Shirine Khoury‑Haq, CEO of The Co‑op Group, reflecting on the high‑profile cyber attack.

Dear business leaders & decision makers,

I am writing this letter as a CEO whose business has just experienced a cyber attack, in the hope that by sharing some of our experiences and learnings, you can all feel better equipped in dealing with what is a mounting issue for us all.

On April 25th, our Co-op was the victim of a multi-stage cyber attack, as confirmed by the National Cyber Security Centre and National Crime Agency, which were both close to our investigation. 

While you can plan meticulously, invest in the right tools and run countless exercises, nothing truly prepares youfor the moment a real cyber event unfolds. The intensity, urgency and unpredictability of a live attack is unlike anything you can rehearse. That said, those drills are invaluable - they build muscle memory, sharpen instincts, and expose vulnerabilities in your systems.

At Co-op, our routine investment in security, the deliberate segregation of systems and frequent testing laid a strong foundation for our response to this cyber attack. It was, however, the extraordinary talent of our in-house teams and partners that made the difference.

Together, we responded quickly and decisively, mitigating the impact of the primary attack, blocking further attempts and maintaining our ability to still serve our members and customers in our frontline business areas, despite the significant business interruption and impact that this incident created.

Despite our swift and effective action to defend our Co-op from the hackers, some of our members’ data was accessed, such as names, contact details and dates of birth. As a member-owned business, this affected us all deeply and our apology was transparent and swift.

The attack has had a significant impact on me, my colleagues and on our members. I will never forget the strain it put on those people making it right, or the concern it has given our members, to whom I answer.

While the security of your systems will no doubt remain on your radar, please continue to account for the fact that the timing and nature of a cyber attack like this is unpredictable. New challenges will always emerge and threats to corporate infrastructures will never stop.

And where I am grateful for my teams and experts, I am even closer now to how we defend against cyber threats, and I am routinely engaging with NCSC guidance. 

The buck stops with us as senior leaders. Please continue to consider the best route to protecting your business, but also the best means to defend against an attack, including supporting customers and colleagues, at every possible stage.

Yours sincerely,

Shirine Khoury-Haq — CEO, The Co-op Group

Published by @NCSC in the Annual Review 2025

At www.ithacacybersecurity.com our mission is to support businesses to mitigate risk and secure their business foundations. Our style is to work collaboratively and tailor the service to meet the customer’s needs.