What the Co-op Data Breach Can Teach MSPs About Selling Vulnerability Management

On April 22, Co-op detected unauthorized network access. By April 30, the UK retail giant had shut down critical IT systems after the DragonForce ransomware-as-a-service (RaaS) group breached their network, stealing data from millions of customers and severely impacting the company's operations.

The attack crippled Co-op's ability to serve customers, process transactions, and maintain normal business operations — the exact functions that generate revenue. 

For MSPs, it provides yet another example of how to sell vulnerability management. Executives under siege from threat actors care less about features and technical jargon and more about protecting revenue-generating processes. By emphasizing how your services impact business continuity and financial stability, you can have a sales conversation that resonates.

First, let’s take a look at the fallout of the Co-op breach.

Financial Impact of the Co-op Data Breach: Revenue Loss and Business Disruption

The financial consequences for Co-op were swift and severe:

• Significant stock devaluation following the breach announcement and subsequent revelations, with AInvest reporting “the stock plummeted 30% on the news, with fears escalating further…” Though the company saw a brief 10% rebound, shares finally fell 40% below their pre-breach peak.
  
  
• Potential regulatory penalties as the Information Commissioner's Office (ICO) investigates the breach. While fines have not yet been determined, previous major data breaches have resulted in significant penalties under data protection laws (For example, British Airways was fined £20 million in 2020 for a 2018 breach that affected 400,000 customers)
  
  
• Significant operational disruption as multiple IT systems and services were taken offline, with Computer Weekly reporting that the incident led to gaps appearing on shelves at Co-op.
  
  
• $50 million cybersecurity investment pledged by Co-op for upgrades including real-time threat monitoring, employee training, and third-party audits.

As Co-op CEO Shirine Khoury-Haq stated in an email to customers: "This is obviously extremely distressing for our colleagues and members, and I am very sorry this happened. We recognise the importance of data protection and take our obligations to you and our regulators seriously, particularly as a member-owned organisation."

How Co-op Thwarted the Complete DragonForce Ransomware Attack

The breach followed the increasingly common pattern used by sophisticated ransomware groups, though Co-op was able to prevent the attackers from fully executing their plan:

1. Initial Access Through Social Engineering: According to BleepingComputer, the attackers conducted a social engineering attack that allowed them to reset an employee's password, which was then used to breach the network.
   
   
2. Credential Theft and Network Persistence: Once inside, they stole the Windows NTDS.dit file, a database containing password hashes for Windows accounts. Speaking exclusively to the BBC, the criminals claimed to have “spent a while seated in their network” long before they were discovered.
   
   
3. Data Exfiltration: The hackers claimed to have accessed and stolen “a large amount of private customer data” from Co-op's membership scheme, potentially affecting up to 20 million individuals.
   
   
4. Proactive Defensive Shutdown: Most importantly, Co-op's IT team made the strategic decision to "take computer services offline, preventing the criminals from continuing their hack." The attackers told the BBC, "Co-op's network never ever suffered ransomware. They yanked their own plug — tanking sales, burning logistics, and torching shareholder value."
   
   
5. Expert Validation of the Strategy: Cybersecurity expert Jen Ellis from the Ransomware Task Force said (BBC again), "Co-op seems to have opted for self-imposed immediate-term disruption as a means of avoiding criminal-imposed, longer-term disruption. It seems to have been a good call for them in this instance." She noted that "these kinds of crisis decisions are often taken quickly when hackers have breached a network and can be extremely difficult."

According to the BBC, this approach helped Co-op recover more quickly than Marks & Spencer which had its systems more comprehensively compromised and had to shut down online ordering.

Customer Data Compromised in the Co-op Breach

The compromised data included personal information from Co-op's membership rewards program:

• Names
• Dates of birth
• Contact information
• Membership details

Computer Weekly reported that financial details, passwords, and customer shopping habits were not believed to be compromised. Nevertheless, the scale of the breach makes this one of the UK's most significant retail data breaches.

MSP Sales Strategy: Vulnerability Management for Business Protection

The Co-op breach brings a range of lessons for MSPs that can make sales conversations more productive. When selling cybersecurity services, many MSPs focus on technical features. This approach is understandable—MSPs are technical experts and naturally communicate in these terms. However, it often fails to resonate with the prospect's primary concerns and pain points, particularly at the executive level.

Selling Vulnerability Management to Business Executives

Executives have different priorities than technical staff. While they acknowledge the importance of vulnerability management, they're ultimately concerned with:

• Will we be able to serve customers consistently?
• How can we safeguard our revenue streams?
• What would a data breach cost our organization?
• How can we maintain profitability by preventing cyber incidents?

Effective Ways to Reframe the Conversation

MSPs can make vulnerability management more compelling by connecting it to business outcomes:

Instead of saying: "Our vulnerability management solution scans for weaknesses across your network."

Say this: "Our vulnerability management platform protects the systems that allow you to process payments, fulfill orders, and serve customers daily."

Instead of saying: "We offer comprehensive monitoring tools and advanced detection capabilities."

Say this: "We identify and eliminate vulnerabilities before they can disrupt your ability to generate revenue or damage customer trust."

Effective Messaging for MSP Vulnerability Management Services

Successful MSPs position themselves as business protection partners alongside their role as technical service providers. When discussing vulnerability management, emphasize:

• How your services identify vulnerabilities in systems that process customer transactions
• The way you detect potential threats to business-critical applications before they cause harm
• How proactive protection of key systems prevents revenue disruption
• The quantifiable value of preventing a breach compared to the cost of your services

Communicating in terms of business protection transforms vulnerability management from an expense line item into a business investment with measurable returns.

Actionable Steps for MSPs Selling Vulnerability Management Services

1. Map Security to Business Functions: Identify which IT systems directly support revenue generation and prioritize their protection.
   
   
2. Quantify Risk in Dollar Terms: Use data from breaches like Co-op's to help clients understand potential financial impact. The average cost of a data breach reached $4.88 million in 2024, a 10% increase from 2023, according to IBM's annual Cost of a Data Breach Report.
   
   
3. Focus on Prevention: Co-op's ability to detect the attack and shut down systems before complete encryption saved them from potentially catastrophic downtime. Emphasize how your proactive vulnerability management prevents breaches before they occur.
   
   
4. Strengthen MSA Language: Revisit your agreements to clearly describe how your services protect critical business processes, not just technical systems. Define responsibilities and protection standards in specific, business-oriented terms.
   
   
5. Use Business Impact Analysis: Help clients identify their most critical business processes and the IT systems that support them. Prioritize vulnerability management efforts according to business impact.

Start Protecting Critical Business Functions Today

ConnectSecure provides MSPs with the vulnerability management tools needed to pro-actively protect clients' revenue-generating business functions. Our platform delivers comprehensive visibility into client environments, allowing you to identify critical systems and proactively address vulnerabilities before they can impact business operations.

Start your 14-day free trial today and discover how ConnectSecure helps you have more effective conversations with clients about protecting what truly matters — their ability to serve customers and generate revenue.

Read more:
The 2025 Verizon Data Breach Report: A Wake-Up Call for MSPs
MSP Cybersecurity: A Step-by-Step Guide to Staying Ahead of Threats
Global IT Outage: Strategic Insights for MSPs