Co-op issues apology after cyberattack exposes “significant” amount of customer data

Co-op has issued an apology after confirming hackers accessed and extracted personal data from a “significant number” of its past and current members.

The breach, which affected customer names and contact details, did not include passwords, bank or credit card information, or transaction data.

The retailer, which operates over 2,000 food stores and more than 800 funeral homes across the UK, said it is working with the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) to investigate the incident.

It follows a reported shutdown of some internal IT systems and call centre services last weekend, triggered by an attempted hack on Co-op’s back-office infrastructure.

In a statement, a Co-op spokesperson said:

We are continuing to experience sustained malicious attempts by hackers to access our systems. This is a highly complex situation, which we continue to investigate in conjunction with the NCSC and the NCA.

We have implemented measures to ensure that we prevent unauthorised access to our systems whilst minimising disruption for our members, customers, colleagues and partners.

As a result of ongoing forensic investigations, we now know that the hackers were able to access and extract data from one of our systems.

The accessed data included information relating to a significant number of our current and past members.

This data includes Co-op Group members’ personal data such as names and contact details, and did not include members’ passwords, bank or credit card details, transactions or information relating to any members’ or customers’ products or services with the Co-op Group.

We appreciate that our members have placed their trust in our Co-op when providing information to us. Protecting the security of our members’ and customers’ data is a priority, and we are very sorry that this situation has arisen.”

Latest in a string of retail cyberattacks

Co-op is the latest in a growing list of UK retailers targeted in recent cyber incidents. Harrods is currently investigating a potential breach, while Marks & Spencer was hit by a ransomware attack over the Easter bank holiday weekend.

Initially, M&S shoppers reported issues using contactless payments and click-and-collect services in-store. Online orders have also been paused on its app and website since Friday 25 April. Although the full scale of the disruption is unclear, the retailer has acknowledged “pockets of limited availability in some stores” as food shelves remain empty in certain locations.

The attack was later linked to the hacking group Scattered Spider, which reportedly infiltrated M&S’s IT network, prompting emergency measures and the involvement of cybersecurity specialists.

Since 2022, the hacking group has been linked to more than 100 targeted attacks across industries such as telecoms, finance, retail and gaming.

In one of their most infamous hacks, members of the group locked up the networks of casino operators Caesars Entertainment and MGM Resorts International and demanded hefty ransoms. Caesars reportedly paid the hackers about $15m (£11.2m) to restore its network.

These latest incidents have raised alarm across the industry, with retailers increasingly being warned to strengthen their cyber defences as data breaches grow in frequency and scale.