Co-Op confirms all 6.5 million members’ data stolen in cyberattack

The Co-op has confirmed that a cyberattack in April resulted in the theft of personal data belonging to all 6.5 million of its members.

Speaking in her first public interview since the incident, Co-op Chief Executive Shirine Khoury-Haq expressed her devastation over the breach and its impact on both members and colleagues.

“I’m devastated that information was taken. I’m also devastated by the impact that it took on our colleagues as well as they tried to contain all of this,” Khoury-Haq told BBC Breakfast. She clarified that no financial or transaction data was compromised, but that names, addresses, and contact information were stolen.

Khoury-Haq, while not stepping down from her role, offered a profound apology for the attack, describing it as “personal” due to the distress it caused. She recounted meeting with her IT staff who were “in the midst of it,” fighting off the criminals.

Co-op’s swift action in disconnecting its IT networks from the internet is believed to have prevented the hackers from deploying ransomware, a move that could have caused even greater disruption.

Once the attackers were removed from the systems, Co-op was able to monitor their every move, gathering crucial information that has since been shared with authorities. However, Khoury-Haq acknowledged that some of the stolen information might already be publicly available and that “people will be worried and all members should be concerned.”

The Co-op was one of three major UK retailers targeted in cyberattacks this spring, alongside Marks & Spencer (M&S) and Harrods. M&S also reported customer data theft and has faced significant costs and disruption in restoring its systems.

Says Lauren Wills-Dixon, head of data privacy at law firm Gordons:

 “Now that Co-op has confirmed that names and addresses of its members were stolen, it highlights once again the importance of cyber security measures for businesses, and indeed the risks in an increasingly digital world.

“Customer, employee or, in this case, members’ data makes an attractive target to hackers. Financial data wasn’t compromised, so this definitely could have been worse, but people will naturally be worried about their personal data being exposed to malicious actors in this way.

“Retailers are among the most common targets for cyber attacks because of the large amounts of customer data they hold, and the increased use of technology by the industry to reduce overheads and streamline operations has raised the risk even further.”

In a recent development, the National Crime Agency (NCA) announced the arrest of four individuals in connection with the cyberattacks on Co-op and M&S. A 20-year-old woman and three males aged between 17 and 19 were apprehended on suspicion of Computer Misuse Act offenses, blackmail, money laundering and participating in an organized crime group.