The Co-operative Group (Co-op) has confirmed that the personal data of all 6.5 million of its members was stolen in a cyberattack disclosed earlier this year, marking one of the most significant data breaches to hit the UK retail sector in 2025.
In a televised interview with the BBC, Co-op CEO Shirine Khoury-Haq admitted that hackers successfully exfiltrated names, dates of birth, email addresses, phone numbers, and home addresses from the company's membership systems during the April breach. While no financial or transactional data was stolen, the scale of the exposure has prompted concern among customers and regulators alike.
The breach was initially disclosed on April 30, 2025, when Co-op reported limited disruption to its internal systems, including back-office and customer support operations. At the time, the company emphasized that retail stores, funeral homes, and other services remained fully operational and stated that the impact on members would be minimal. However, subsequent reports, including disclosures from BBC News and internal investigations, confirmed that attackers had gained deep access to membership databases and attempted to initiate extortion efforts.
Co-op, a UK-based consumer cooperative with more than 3,700 food stores and operations spanning funeral services, insurance, and legal services, runs a profit-sharing membership program that is central to its business model.
CEO Shirine Khoury-Haq characterized the attackers as “highly sophisticated” and expressed personal regret for the incident, highlighting the emotional toll on IT staff and affected customers. “We were able to eject them from our systems, but we could not erase what they did,” she told BBC Breakfast, confirming that Co-op provided authorities with digital traces of the intrusion, including behavioral data from within compromised systems.
Technical indicators suggest the attackers may have used social engineering techniques to bypass internal authentication procedures, echoing other attacks on Marks & Spencer and Harrods. The UK’s National Crime Agency (NCA) has linked these incidents to the DragonForce ransomware group and Scattered Spider. These groups are known for exploiting IT helpdesks to impersonate employees and circumvent multi-factor authentication.
On July 10, the NCA arrested four individuals in connection with the attacks: two 19-year-old males, a 17-year-old male, and a 20-year-old woman. The suspects, apprehended in coordinated raids across the West Midlands and London, are under investigation for offenses including blackmail, money laundering, and participation in an organized crime group. All were released on bail pending further inquiries, while seized electronic devices undergo forensic examination.
While Co-op has not publicly disclosed the financial cost of the breach, recovery efforts continue. The organization has partnered with cybersecurity recruitment firm The Hacking Games to promote ethical hacking pathways for young talent, including a pilot program with Co-op Academies Trust. The initiative aims to divert skilled individuals from cybercrime to legitimate security careers.
In response to the breach, Co-op members are advised that their accounts remain secure and usable, but they should be cautious of phishing attempts impersonating the company. Signs of malicious activity may include unexpected emails or messages requesting personal information, especially those invoking urgency or referencing the breach.
Leave a Reply