Co-op has officially confirmed that hackers accessed and exfiltrated member data in a recent cyberattack, marking a significant escalation in a wave of coordinated intrusions targeting UK retail giants.
The breach affects the personal data of members, though no financial information or passwords appear to have been compromised.
The announcement came directly from Shirine Khoury-Haq, CEO of the Co-operative Group, who acknowledged the breach in a message to members on May 6, 2025. Khoury-Haq described the attackers as “highly sophisticated” and confirmed that Co-op had shut down parts of its systems to contain the threat while continuing to work with the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) to investigate.
According to an updated FAQ page published yesterday, the attackers were able to access and extract names, dates of birth, email addresses, phone numbers, and home addresses from Co-op's membership systems. Critically, Co-op states that sensitive data such as passwords, payment card details, and transactional history were not stored in the compromised system and are believed to be unaffected.
The Co-operative Group is one of the UK's largest consumer co-operatives, operating over 3,700 food stores, funeral services, legal support, and insurance branches nationwide. With millions of member-owners and a sprawling digital infrastructure supporting logistics, governance, and customer engagement, Co-op represents a high-value target for threat actors — especially those seeking to exploit trust-based relationships within large member communities.
This incident follows Co-op's initial disclosure on April 30, when the organization reported “unauthorized access attempts” and limited service disruptions across its back-office systems. At the time, Co-op downplayed the impact, stating no immediate customer action was needed and providing no indication of data theft.
As previously reported, Marks & Spencer and Harrods have also suffered attacks in recent weeks. The NCSC has responded with an urgent advisory, warning of advanced social engineering techniques used by actors linked to the DragonForce ransomware cartel and the loosely affiliated “White-Label Cartel.” These groups are suspected of deploying ransomware and exfiltrating sensitive data across multiple high-profile UK organizations.
Though Co-op has not attributed the attack to a specific threat actor, the methodology appears consistent with recent incidents involving the misuse of IT helpdesks to bypass multi-factor authentication and gain internal access. In Co-op's case, extortion attempts suggest the attackers may also be leveraging stolen data for pressure campaigns against leadership and technical staff.
For now, Co-op members are advised that their accounts remain secure and that they can continue to use their membership cards and mobile apps as usual. However, the organization urges members to remain vigilant against phishing messages or unsolicited calls that may seek to exploit the breach.
Leave a Reply