Co-op boss confirms data of all 6.5m members stolen
The chief executive of Co-op has confirmed that the personal data of all its 6.5m members was stolen during a major cyber attack in April, marking one of the most widespread data breaches in UK retail history.
Speaking publicly for the first time since the attack, Shirine Khoury-Haq said the breach had a “devastating” impact on customers and staff, and described the hack as “deeply personal”.
“There was no financial or transactional data taken, but names, addresses and contact information was accessed”, Khoury-Haq told BBC Breakfast. “It hurt my members… and that I take personally”.
The comments come just days after the National Crime Agency (NCA) arrested four individuals in connection with the attack, including three teenagers and a 20-year-old woman, following a joint operation across Staffordshire, London, and the West Midlands.
Retail cybercrime wave
The attack on Co-op was part of a coordinated wave of cyber intrusions targeting high-profile UK retailers, including Marks & Spencer and Harrods.
The NCA confirmed last week that the group of suspects were arrested on suspicion of blackmail, money laundering, Computer Misuse Act offences, and participation in an organised crime group.
According to investigators, the group attempted to deploy ransomware across Co-op’s systems but was blocked at the last moment when IT staff severed internet access, potentially avoiding catastrophic business disruption.
However, Co-op later admitted hackers had gained access to a “significant” volume of customer and employee data, including membership details from its profit-sharing scheme.
M&S suffered significant operational damage from a related attack, which has reportedly cost the FTSE 100 retailers £300m in lost earnings.
The company is preparing a £100m insurance claim to recover part of that loss, having had a cyber insurance policy in place through Allianz and Beazley.
Co-op and Harrods, however, did not hold cyber insurance at the time of the attacks – potentially leaving them exposed to material financial and reputational risk.
Co-ops significant damage
Khoury-Haq described the internal scramble to contain the breach, recalling how IT staff worked around the clock to halt further intrusion.
“I met with our IT staff while they were in the midst of it”, she said. “I will never forget the looks on their faces as they tried to fight off these criminals”.
After the hackers were ejected from Co-op’s systems, Khoury-Haq said the firm was able to track their actions in real time and share that data with law enforcement.
Despite these efforts, she acknowledged that the damage was significant. “People will be worried, and all members should be concerned”.
Sector-wide reckoning
The spree of attacks has prompted renewed scrutiny of corporate cybersecurity practices, particularly among UK retailers with vast stores of customer data and legacy IT systems.
In Co-op’s case, the breach also triggered disruption to contactless payments and customer service lines across its food stores in May.
The company restored full payment functionality by mid-May.
Co-op operated under a mutual model, with its 6.5m members owning a share in the business.
“Hacking is not a victimless crime”, said a Co-op spokesperson. “We’ve engaged fully with the NCA throughout and are pleased that this has led to arrests on behalf of our members”.