Welcome to the second panel investigating the cyber-security of our country. I am very grateful to both of you, Dominic and Rob, for joining us from the Co-op Group. John Cooper will open the questioning for us this morning.

I should declare a non-financial interest in that my son actually works for the Co-op, so to some extent he was on the frontline of all this. Could you just give us a picture of what happened, and a sense of how you realised that you had a problem and what the difficulties then were? Our understanding, from the previous session, is that you may have taken a decision yourselves that was a bit like a doctor cutting off an injured limb to save the body—a lot of the damage may have been, in effect, self-inflicted. If you could talk us through your decision-making process, it would be really helpful.

First, thank you for inviting us here. It is a good analogy, and we have had a number of analogies used. It might be helpful, in a moment, for Rob just to take you through what we saw the attackers do and how we responded. Before we do that, this was a sophisticated cyber-attack on Co-op Group in April. The criminals used a variety of methods to access systems and data. Within hours, we had detected those and set up our continuity processes. In doing so, we managed to prevent the deployment of ransomware and any serious damage to either our systems or our members. However, I think there is a reality check here: no organisation, regardless of how prepared you might be, is entirely invulnerable to these sorts of attacks, and they are going to get more sophisticated. For example, the actions that were taken to avoid that more serious disruption, however controlled and proactive they may have been, had a significant impact for a short period of time on some parts of our operations. We know that member information was limited to names, addresses and contact details, such as dates of birth, but that was still copied by the attackers when they were in our systems for such a short period of time. It is important that we say to our members that we are very sorry for that, and we feel their concerns deeply. It is important that we recognise that this is something that is going to become more and more sophisticated. Despite the proactive steps that Rob and his team have taken, as well as all our colleagues to whom we are massively thankful for how well they have pulled together, those steps are not going to be the answer to making sure that we are entirely impervious to cyber-attacks in the future. If it is okay, it might be helpful for Rob just to take you through everything.

Yes. Rob, tell us what happened. How did people get in and what do we know about who they were?

I will take a minute or two and just walk you through the salient points. The initial attack took place on 25 April. In effect, we saw from our side a colleague account acting maliciously. Our cyber-defences kicked in immediately and restricted the activities of that account.

At this stage, were you aware that there had been an attack on Marks & Spencer?

We were not. We actually spoke to them after we had contained the threat. In the following week, via the NCSC, we were very helpfully able to exchange notes, but by that point we were unaware of the activities. We had reached out, but clearly they were having a very busy time.

There was media speculation, so we knew that they had been disrupted.

So we saw the malicious behaviour within literally minutes. When the systems block those activities, they notify our teams—they were logged in. For the next 12 to 24 hours, it is best summarised as a bit of a firefight, as we were locking accounts out and trying to restrict what they were able to do. At that point, on the Sunday, we had effectively restricted things like VPN access, as well as remote access to our systems, as a way of ensuring that we were able keep the criminals out of our systems. In doing so, there was some minor impact to some of our colleagues, because they could not work remotely at that point for certain systems. It is worth me also pointing out that our systems are heavily segregated, which means that this was very much focused on one specific zone. Throughout this, all our online business continued to operate normally, and our retail stores and payments are segmented, so they were not part of this attack. Specifically, after the attack had taken place, we then brought in our pre-agreed forensics teams, which we had on contract prior to these events occurring. We stood up our incident management response. This was on the Sunday, with the event having occurred on the Friday. By Monday, we were clearly going through the forensic analysis of precisely what had taken place. This, as Dominic says, was a sophisticated attack, and it was actually multi-stage. Interestingly, on the Thursday of that week, we saw software within our network effectively trying to communicate with a threat actor’s website. That is where you start to try to download a payload or the ransomware would effectively come and deploy. Again, our defences spotted that those IP addresses were of a threat nature, and therefore blocked all communication. We then identified the source, the place where the beaconing was coming from, and took the proactive measure to pause all of the communication within that zone—because you cannot guarantee when you are watching 4,000 website contacts happening a minute that one of them may not, for example, be listed—until we were able to identify its root cause. We then identified that the root had spread to a number of the main controllers. That is a technical term, but it effectively meant that we held the block in place while we rebuilt the roughly 40 or so key system piece of equipment. We were then able to restore service around 14 days after. We left the block on about a week. At that point, we had clearly mitigated the ransomware deployment, but we had also ensured that we had done the containment exercise for our core network before we were able to start releasing our systems and services. Through that period, we were using business continuity plans for the two weeks on things such as our food ordering to store. That was heavily oriented to our back office, so it is the sort of systems we use for putting orders out to suppliers or some of our colleague-facing systems. As I say, our customer-facing services were still available throughout.

You have given us a good overview there, and talked about how your systems coped. Like most companies, you presumably war gamed this sort of eventuality. What is your assessment of how well you had prepared? Hindsight is 20:20, of course, but do you think you could have done more and what more could you have done? You talked about the compartmentalisation of your systems. I presume that was done deliberately with one eye on this kind of eventuality. Is that something you think was helpful?

Both excellent questions. On the first one, war gaming is something we absolutely do. It takes two forms. You will hear me talk about things such as our crisis management response—we have a bronze, silver, gold approach. We had war gamed this precise scenario as a leadership team before, so the board itself was very well prepared for who would take what role. That definitely paid dividends through the crisis. With regards to technical, we run what we call red team or purple team exercises. These are simulated attacks where we pay third parties to act as the criminal gang. We provide them with no devices, and then we provide them with devices. We take the learnings from that and make sure it feeds into our annual investment in cyber-security. If you could remind me of the second part of your question, that would be very helpful.

How well do you think your systems coped? You think it went well on a board level. Was the system itself, because it was designed to effectively firewall things, quite helpful, too? At the end of the day, you had red teamed this, but it still happened, so is the level of threat higher than you had anticipated?

I think the most important thing is that there is no one rule to cyber-security defence. For us, it is the layered components. It is true that you cannot prevent everything such as social engineering or what we call zero-day vulnerabilities, which are gaps found in software that nobody knows about. You have to make sure that you can not only detect, which is what you saw play out in the scenario I discussed, but respond very effectively. There are a number of pieces of equipment at our disposal. We must also ensure that we have thought through what those business continuity plans will be. There are always lessons to be learnt. It does not matter how many times you do a simulated exercise, even with that type of thing. There are pressures in the moment on the individuals and teams involved. On the record, I want to say how appreciative I have been of my own teams and their ability to respond in what is an incredibly tough situation. These are husbands and wives and mums and dads, and they are required to put in an awful lot of time, and it is a very high-pressure environment because their decisions count in the moment. There are always learnings from a real experience versus those simulated ones, but the simulated ones are incredibly helpful.

Can I just pick up on the social engineering point that you mentioned. Is that your understanding of how these people got in? In my limited knowledge, social engineering is where there is effectively an impersonation: someone phones you or the IT people and says, “Can I change my password”, but that person is not who they purport to be. Is that your situation?

Absolutely. They were able to impersonate a colleague and successfully answer a number of security questions to get their account reset. That activity happened about an hour before they started to use the account maliciously. At that point, our teams were notified because the types of activity they were trying to do were not prohibited on the network, and they responded immediately to that.

I want to talk briefly about how the business has been impacted in terms of day-to-day customers and members. Also, with the Co-op Group having different co-operative societies across the country, which are obviously different independent companies but supplied by you as a group, could you talk specifically about how that communication process worked and how those businesses were impacted, too?

I will give an overview and then Rob can come in if there are specific points on the technical side. Because of the nature of our business and, as we have mentioned before, the segregation of our systems, the impact was quite different across different areas. For example, our online business and payment systems were unimpacted, and all our stores remained open. However, within our distribution centre we were reverting back to the manual processes that were referred to in the previous panel, which obviously had a significant impact on efficiency.

Were those back-up, paper-based systems all ready?

They were there, but it is about how often you test them—that is a key piece. One thing we learned, going back to your question, Mr Cooper, was that the parts of our businesses continuity exercise that paid off most in the preparation stages are actually the parts that dictate exactly how you are going to make decisions in that pressured moment. It is more about the generic ways of working. Of course you can look at specific events, but you never know which particular part of the system will be impacted and how it will work. There is lots we have learned within that, which we will be taking away, about where our key vulnerabilities are when we go back to those paper-based systems—are they in the depots or elsewhere? Again, that will have an impact, because had it been the payment system, we would have had to have found a different approach. You need to be prepared on the specifics and understand where the key things are to keep your business running, but equally, you do not ever know quite what the impact will be when these sorts of things hit in the way they do. How you make sure that you can make those decisions and take any actions that you can quickly is probably the most critical part. There was an impact across our food business, but there was no impact across our wholesale business. We also deliver to a number of independent stores, including the Nisa brand, which is part of the Co-op Group, and that was not impacted. However, some of our franchise stores, and importantly, as you referenced, the independent society members, were impacted. For any Committee member who is not aware, there are a number of co-operative societies. We are the largest, but we also supply goods under buying group arrangements to the other societies. Although they were not impacted directly by the cyber-attack, obviously there was a knock-on effect from the impacts in depots. The other thing that we had to consider is the impact on different localities and stores. We run a number of stores—what we call our lifeline stores—in areas where the impact of a store being shut is different. In some areas, such as the highlands or some of the islands, you cannot just go to a different retailer around the corner. We had to consider how we could get the right prioritisation on those. Across our life services businesses, our insurance business was unimpacted and our Funeralcare business managed to continue to provide all the funerals in the way in which loved ones wanted. However, a lot of colleagues in the Funeralcare business were reverting to paper-based systems and, inevitably, we are now having to update them now that they are back online. In our legal services business, because of the nature of the systems, colleagues all log on through the methods that were locked down by the actions of Rob and his team. That was more heavily impacted than other parts of the organisation, so we had to prioritise the more critical cases and stop taking on new business so that we could focus on existing customers. The impact was quite varied across our systems, which reflects their segregated nature.

As an organisation with a member-based structure, obviously the kinds of conversations and level of communication you have with your members is very different to that of M&S from the first panel. Could you tell us about how that member communication took place?

Of course. We are a member-owned organisation. Although we have listed debt, which means that we have some market obligations, we do not have listed shares, so we do not have quite the same considerations around communication to investors. In fact, our owners are the same people who are shopping with us and who are impacted, so we always want to make sure that we are being as transparent as possible with our owners. There is a balance between that and making sure you know enough—in these situations there is always information gathering. Within a few days of the attack happening—noting that it happened on a Friday—we had communicated with our members by way of an announcement to the markets, our website and emails to all our members, or those whom we have email addresses for at least, so that they were aware in particular of the fact that their personal and contact details, and dates of birth had been compromised. For us, the ability to be as transparent as we can be with members is helpful, because we are not then distracted by having to work out in the same way what we can and cannot say. That is why we are keen to continue to be as open as we can be.

To add one point to Dominic’s account, we used the opportunity, while still going through the attack, to get in touch with all the CIOs and IT directors of all the independents to offer to have a call with them to explain all the different signatures that we had witnessed and what we were able to do better to mitigate that. We went on to do that with a number of other retailers as well. Again, with those channels, the biggest learning is always—this is not a taboo subject—how we are able to communicate clearly what we can do and what we have learnt to others, so that we prevent any systemic implication. We absolutely did that.

Absolutely. I am sure we will come on to this at some point, but that information sharing is going to be increasingly critical.

You might have been in the earlier session, but I am keen to understand the differences with and similarities of your response and that of M&S’s, and what we can learn from that. You gave me some of the dates and the timeline—25 April is when the attack started. You became actively aware on the 25th—so it was not just that your systems were not working; it was that you, as people, understood that it was happening.

One hundred per cent. I can give you the dates and times: at 7 o’clock, literally within minutes of that, our systems had alerted us automatically and the teams had logged in—within an hour of the malicious content. Clearly, initially that would have looked like a colleague, but this was within literally minutes of the initial—

How long after that did you alert the authorities that that was happening?

That was over the course of the weekend, so the following day—it might have been the Sunday, actually—the NCA and the NCSC were informed. We updated the ICO and our other regulators—the FCA, the SRA and the GCA—on the Monday, and various other Government Departments, so as quickly as we were aware.

You said that it was a few days until you let your customers, your owners, know.

In that initial period, there was limited impact directly, and at that point we had not established that any member data had been accessed. As soon as we had established that on the Friday, through the ongoing forensic activity that Rob referred to—it was the same day as the additional action that Rob took, in effect to close down our systems, which had the operational impact—that was the point at which we put out the announcement and made sure that all our members were aware of the impact on them as members, based on the data and the operations perspective.

What date was that?

That was the Friday, which was 2 May.

Excellent. It sounds like you spoke to other retailers—you mentioned that, Rob. When you discovered the problem, did you alert other retailers in your sector that that was happening to you and what the signatures were that you could see clearly?

Yes. There is a trust group among security professionals in retail. They were able to share some of the information there, but also the NCSC facilitated a number of introductions of others who would benefit from the knowledge we had in the weeks preceding and the week immediately afterwards.

It sounds like your systems were segregated, so that helped you withstand some of the attacks.

Yes. There are always opportunities in learning to increase segregation, but yes, as I say, all our online services were clearly ringfenced, our payment systems are air-gapped and a number of our businesses will be on different segments of the network, which helped.

I asked this of M&S as well, but in the House of Commons yesterday, the right hon. Member for Goole and Pocklington warned that cyber-attacks and ransomware attacks on major companies are happening: “It has come to my attention that one such company paid a very large sum to its blackmailer recently.” Was that you?

No, it was not. We did not pay a ransom, and nor did we contemplate or at any point discuss paying a ransom. In fact, through the process, we did not engage at any point with the criminal attackers.

My last question is: were you able to access adequate support from Government from the moment the attack started?

I am probably the best person to take that question. The NCSC assigned a representative to work with us pretty much immediately after we notified it on the weekend. It was engaged on the Monday. In fact, Shirine and I met both James, who is here today from the NCA, and Nick who runs things at the NCSC. I think that was about 6 May. The teams throughout have been really supportive. Clearly, the biggest role they were able to play with us is the information sharing. We clearly were sharing more information than we were gleaning at the time, but on other occasions they have been incredibly helpful with different pieces of information or intelligence that they are aware of, in a safe manner.

More broadly, the rest of our regulators have been supportive and understanding. They were asking all the challenging questions that you would expect them to ask. By virtue of having a good ongoing relationship with those regulators, I actually think it is important for both sides to have that level of trust. We have also had a number of Government Departments reach out to make sure that we have the support that we need, or to ask if there is anything that they can do. From our perspective, the response from Government has been supportive and helpful.

I am sure I can give you some of my thoughts on the topic. The awareness and preparation we have talked about is absolutely critical. That is about being able to run those simulated exercises and knowing what roles individuals will play, but also about that layered security posture, making sure that you have different lines of defence and that you are not just relying on prevention. Another key thing is that we often look at cyber-security as being, “It’s all about these cyber-tools that will prevent everything from occurring.” Actually, one of the biggest vulnerabilities, as we heard earlier from the last panel, is around legacy systems—they generally will have vulnerabilities in them that may no longer be patched—so it is definitely about staying on top of your IT estate. By that, I mean making sure that you are patching regularly when security updates are provided, and ensuring you monitor that, but also removing that legacy, where patches and so on aren’t being provided, to make sure that you continually refresh and modernise your estate. I still think that there are other things that Government, and certainly businesses, can do. There is a real opportunity in the UK; we have some incredibly smart people leaving schools and universities with an amazing skillset. I was really reassured to see some of the cyber growth plans and initiatives. The more we can do to help to turn the next generation, with the smart skills we have in the UK, to be defenders—rather than attackers, I guess—and educate them about the opportunities, the better. There are a lot of unfilled roles in cyber-security to date, and cyber-crime is a growing opportunity and threat. Encouraging more people in the UK to move into that sector will help us, as a nation, to have the skills and expertise we need to face those ongoing threats.

As I said previously, we work very closely with the NCSC, so we notified them immediately. I would expect others to do the same; I think that is a great source of information for everybody. I do think that things could be more facilitated and collaborative. If you look across retail, yes, we may compete on certain items, but actually, with these types of threats, collaboration is key. There are some facilitated sessions, but I think we could see more of them. Other industry sectors potentially do more than we do today, but I am seeing that change already. Apart from that, for me, ensuring your resilience—your business continuity—is key. There were references earlier to the financial sector, which I am clearly fully aware of; I spent quite a chunk working for the Bank of England as well, so I understand some of the policies there. For us, we were already looking at things like having alternative systems available—kind of a “break glass” thing—for critical processes, and that is definitely an area of consideration that we are continuing to look at. I think that the concept of relying on paper and pen in today’s modern society is unsustainable; you will need to have an alternative, air-gapped, segregated, different stack that you can rely on in the event of a crisis to keep your fundamental core services running.

I was just going to say that it is for businesses and industries—and certainly the retail industry—to make sure that we are actually sharing that information. I think where Government can support us is in creating the safe spaces to do so. I think part of the reason why that sharing does not naturally happen is that, at the point when it is all happening, there is nervousness, around, “Well, we’ve either got a legal consideration or competition consideration, so how do we have this? What’s the connection point to be able to share those learnings and information?” I think creating those safe spaces to do that would be a positive action that Government could take. In the previous panel, you touched on mandatory reporting; I think, hand in hand, that carrot-and-stick combination might actually create better understanding across industries. Part of the tragedy is that sometimes these attacks occur, and it is exactly the same thing that has happened to somebody else elsewhere, but people just did not know that that was where the sophisticated means of attack had moved to.

I am interested in picking up the point about insurance—the cover it provided and whether, when you look back at the situation, you think, “We didn’t have enough,” or, “They wouldn’t have covered us if—”. I would like to get to the bottom of that. Where does the support for businesses sit? Do you think it worked in your case, and was it fit for purpose? Do you have flags that you would like to raise, and suggest, “Actually, we might have been in very different circumstances if something had happened”?

I will say up front that we are not expecting to make a significant recovery under an insurance policy. The reality is that this risk is very high up among the various risks that we have on our register, as it is for other organisations. You look at what the various impacts would be of that risk, the various things that you can do to prevent it, and to mitigate it once it has happened. There are technical solutions to that, and insurance has a really important role to play in considering it. We have invested heavily, and it has played out very well. Rob and his team have invested in preventive measures and in the post-event response. We chose not to specifically insure against this event. Obviously, you can get insurance against all sorts of things, and you have to choose which to cover. It is important to say that that is not necessarily a reflection on the quality of the insurance cover out there for these sorts of events; it was just the business decision that was made. The decision on where to put those preventive measures had a number of factors to it, including the impact of the risk, the likelihood of the risk arising, and the strength of the balance sheet—and we have strengthened our balance sheet significantly over the last two to three years. We will, of course, continue to look at all the various tools available, and will inevitably invest heavily in cyber-protection in the future. Whether we decide to take out insurance will depend on that detailed analysis rather than, “Well, this has happened, so we must insure against that specific thing in the future.”

Did the likelihood on your risk register match, or has it changed?

It is on the register as an incredibly likely event. Obviously, there is not one type of cyber-attack, and it is important to note, because it has not come up in this session, that, like every business, we are subject to cyber-attacks every single week. The nature of this one was quite different from those we have seen elsewhere due to its sophistication, but we know that we are going to be attacked. There is not even a question of probability; the question is how serious the attack and its resulting impacts could be.

Are there any other lessons or reflections for public policy that you think Ministers need to absorb from the experience that you have gone through?

The only thing that I would stress again is the impact that it has not only on the victim—so the business—but on the people who work for the business. Do not underestimate that. When you speak to those who have been subject to such a thing, you realise how important those colleagues are and, while we have great wellbeing support, how much we need to provide additional support to colleagues throughout what is an incredibly tricky situation. I do not think that we appreciate the human factor that plays through these things.

Dominic and Rob, thank you for coming to give evidence today.