The Co-op said it does not expect availability in its stores to improve until the weekend, as it continues to recover from a cyber-attack two weeks ago.
The company said it was in the “recovery phase” from the attack and was “working closely with our suppliers to restock our stores”.
But it said its stock ordering system has been brought back online after shutting it down in order to limit the damage from the attack.
‘Gradual’ recovery
The attack disrupted customer payment systems at tills and resulted in widespread shortages in shops, as well as compromising customer and staff data.
The attackers have contacted media outlets claiming to have used the DragonForce crimeware service to carry out the Co-op hack as well as an attack a few days earlier on Marks & Spencer and an attempted hack on luxury retailer Harrods.
The DragonForce service typically involves encrypting an organisation’s data as well as stealing a copy of it, then extorting payments from the victim for restoring the data and keeping the remote copy from being released to other criminals.
The Co-op said it would take time to recover from the incident and that it was “gradually back online in a safe and controlled manner”.
The shortages have hit rural areas particularly hard, particularly in Scotland, as Co-op shops are often the only food source for miles.
The mutual said it has prioritised such areas.
“Following the malicious third-party cyber-attack, we took early and decisive action to restrict access to our systems in order to protect our Co-op,” the company said.
‘Recovery phase’
“We are now in the recovery phase and are taking steps to bring our systems gradually back online in a safe and controlled manner.”
It said all forms of payment, including contactless and chip-and-PIN, are now working across its stores.
Earlier this month the Co-op acknowledged that hackers had accessed data on a “significant number” of its customers, including names and contact details, but not passwords or financial information such as payment card data.
Marks & Spencer has faced a similar level of disruption from the attack on its systems, and has been forced to shut down all online ordering for the past three weeks.
The company said this week that customer data was accessed as part of the attack, including names, addresses and dates of birth that could be used for fraud, but no passwords or card data.