The Co‑operative Group has confirmed that a cyber‑attack in April this year compromised personal data belonging to all 6.5 million of its members. The breach, one of the most severe against a UK retailer in recent years, has raised serious questions about corporate cybersecurity and consumer protection.
What We Know So Far
April 2025: Co‑op detected unauthorised access to its internal systems and immediately shut down parts of its IT infrastructure to prevent further damage—including disabling inventory systems and virtual desktops, which led to empty shelves and distribution delays in stores and funeral services, though core operations remained functional.
Data Compromised: The attackers accessed names, addresses, phone numbers, email addresses and dates of birth. Crucially, no financial information, passwords or transaction records were exposed.
Hacker Activity: The cyber‑criminal collective Scattered Spider, working via DragonForce ransomware affiliates, is believed to have executed the breach. Their method: social engineering to infiltrate the network and extract data before triggering ransomware.
Fast Response: Co‑op detected the threat within hours and disconnected key network systems—stopping ransomware deployment, though its IT and call centre functions were severely impacted.
Law Enforcement and Regulatory Action
Arrests Made: The National Crime Agency (NCA) arrested four youths aged between 17 and 20—suspected of involvement in the coordinated attacks on Co‑op, Marks & Spencer and Harrods.
Investigations Underway: Co‑op is working closely with the National Cyber Security Centre (NCSC), the NCA, and has reported the incident to the Information Commissioner’s Office (ICO), as required under UK GDPR.
Security Industry Response: NCSC Director Richard Horne described the incident as a “wake‑up call”. He urged firms to follow NCSC guidance on multi‑factor authentication, staff training, and help‑desk protocols.
Wider Context and Consequences
Retail Sector Attacks Surge: The breach forms part of a wave of incidents affecting prominent UK retailers this spring, including major breaches at M&S and Harrods—some resulting in lost sales, operational shutdowns and hefty financial damages.
Co‑op’s Next Steps: The company has partnered with The Hacking Games to promote ethical cybersecurity careers among youth—an effort to turn talent away from cyber‑crime.
What Members Should Do Now
Remain Vigilant: Expect potential phishing attempts via email, text or phone. Co‑op advises vigilance, not sharing personal or financial information in unsolicited communications.
Protect Personal Data: Update antivirus software and monitor credit reports. The ICO offers support and advice for affected individuals.
Legal Rights: Under GDPR, members whose data has been compromised may claim compensation for distress, and potentially financial losses if negligence is proven.
| Aspect | Implication |
|---|---|
| Scale | Entire membership affected—unusually large for a retail cyber‑incident. |
| Operational impact | Store inventory systems disrupted, funeral services resorted to manual processes. |
| Financial effect | Without cyber‑insurance, Co‑op may face substantial remediation costs. |
| Sector-wide risk | High-profile attacks on UK retailers expose enduring weaknesses in cybersecurity. |
