Incident Overview
In April 2025, the Co-op suffered a major cyber-attack, later confirmed to have compromised the personal data of all 6.5 million members. Initially described as affecting a “significant number,” the full extent was revealed publicly in July when the CEO apologised for the breach.
Hackers exploited social-engineering techniques—specifically impersonating IT staff—to gain internal access, a method also used in parallel attacks on Marks & Spencer and Harrods.
Data Compromised
Exposed data included full names, home addresses, email addresses, phone numbers, dates of birth, and Co-op membership card details. Notably, no financial or transactional data, passwords, or bank details were taken.
Operational Disruption and Attributed Attackers
The attack led Co-op to shut down parts of its IT systems, significantly disrupting operations—grocery store contactless payments, funeral services, and back-office systems were affected.
The intrusion was linked to the DragonForce ransomware operation, believed to be acting on behalf of the Scattered Spider hacking collective.
Response, Notice, and Accountability
- The Co-op’s chief executive, Shirine Khoury-Haq, publicly apologised, describing the breach as deeply personal and underscoring the emotional and operational toll on staff. The GuardianRetail Gazette
- Four individuals—three teenagers and one in their early 20s—were arrested by the National Crime Agency in connection with this and related cyber-attacks. The GuardianComputing
- Despite early detection systems identifying suspicious behaviour within hours, the Co-op’s lack of cyber-insurance means it expects to recover only a small fraction of the financial losses. Computing
Legal Actions and Member Impact
A group legal action has been opened, allowing affected members to seek compensation on a no-win, no-fee basis. The claim targets exposure of personal data—including names, contact details, and membership card information—that leaves individuals vulnerable to fraud, phishing, and identity theft.
Over 1,000 members have already registered interest in the lawsuit via the Join the Claim platform. Legal experts emphasise the ongoing risk that stolen data poses, even without financial information being exposed.
Summary Table
| Aspect | Details |
|---|---|
| Attack Date | April 2025 |
| Scope | Personal data of all 6.5 million Co-op members stolen |
| Data Exposed | Names, addresses, emails, phone numbers, dates of birth, membership card numbers |
| Data Not Exposed | Financial details, passwords, transaction history |
| Cause | Social engineering of IT helpdesk making remote access possible |
| Attack Group | DragonForce / Scattered Spider |
| Operational Impact | Disrupted IT, payment systems, funeral services; stores affected |
| Response | CEO apology, NCA arrests, no cyber-insurance claims expected |
| Legal Action | Group claim launched, thousands registering interest |
| Risks to Members | Phishing, identity theft, manipulated social engineering |
Key Takeaways
- Scale and Scope: One of the largest retail data breaches in UK history—every Co-op member’s personal data was exposed.
- Human Element: The attack hinged on social engineering, not technical vulnerabilities—a reminder of the critical importance of staff vigilance.
- No Financial Data, but Still Risky: Even without bank details, the information taken can enable highly convincing fraud and impersonation attacks.
- Community Impact: The Co-op’s mutual structure meant the breach affected millions who trusted the brand—making the incident deeply personal for both members and staff.
- Accountability and Redress: A legal pathway for compensation exists; individuals are encouraged to register interest while taking protective action in the meantime.
