freshidea - stock.adobe.com

News

Co-op chief ‘incredibly sorry’ for theft of 6.5m members’ data

Co-op chief executive Shirine Khoury-Haq has revealed that all the personal data of all 6.5 million of its members was compromised in the April 2025 cyber attack on its systems.

Alex Scroxton
By
Published: 16 Jul 2025 19:09

Co-op Group chief executive Shirine Khoury-Haq has apologised to all six and a half million of the group’s members after revealing that their personal data, apparently limited to names, addresses and other contact details, was stolen in a Scattered Spider cyber attack against its systems.

The attack, which unfolded in parallel with incidents at Marks & Spencer (M&S) and Harrods earlier this year, saw cyber criminals penetrate key IT systems causing disruption that spilled over into the physical world as store shelves emptied. It quickly emerged that Co-op member data had been impacted but the full scope of the breach is only now being revealed.

Four people were arrested on suspicion of involvement in the cyber attacks last week, although they have now been bailed pending further investigation.

“I am incredibly sorry,” said Khoury-Haq during an appearance on BBC Breakfast. “It’s awful to have happened, that’s why we feel like we have to do something positive now.”

Khoury-Haq said the attack had felt like a personal one because it hurt customers, members and colleagues, but expressed relief that Scattered Spider had been caught and evicted from the retailer’s systems before they could deploy ransomware.

Jez Goldstone, cyber security expert at innovation and business development network Label Sessions, said: “Individuals cannot rely on mere trust when dealing with large enterprises. They are vulnerable and they are not doing enough to protect your data.

“Unfortunately, these breaches only add to the mountain of already breached data - billions of identities are already traded on the Dark Web. It costs next to nothing to obtain compromised identities.

“Unfortunately, you can't put the horse back in the stable,” said Goldstone, “but you can, firstly, demand stronger protections from regulators and the organisations you do business with. And, secondly, be aware of scams that try to get you to take urgent action because of some seemingly credible threat – real companies don't put you under pressure." 

Hacking partnership

Following its experience at the hands of cyber criminal hackers, Co-op has also teamed up with social impact business The Hacking Games to try to prevent future cyber attacks by identifying potential talent, especially among teenage boys, and channelling it into legitimate career paths.

The youth of Scattered Spider’s members has frequently been remarked upon in coverage of the group, with many of its operatives believed to be minors. One of the individuals arrested last week was aged just 17, and all four of the men indicted in the US over the gang’s activities last year are in their early 20s.

Co-op said there was an urgent need to engage young people and inspire then to follow ethical security careers in a sector that faces a constant skills shortfall. As such, it said, The Hacking Games, which was purposely set-up to try to tackle address the link between talented but unengaged young people and cyber crime by connecting the security community to unconventional talent – particularly neurodivergent individuals living with ADHD and/or autism – makes an ideal partner.

Its partnership will draw on Co-op’s nationwide presence and ethical, community-driven business approach and The Hacking Games’ knowledge and expertise in the area to reach into Britain’s schools – starting with 38 institutions that operate within the Co-op Academies Trust. Looking ahead, the ambition is to develop a longer-term plan that could be rolled out across the entire UK education system, supporting engagement, targeted student and parent training, and future careers opportunities.

“At Co-op, we can’t just stand back and hope it doesn’t happen again - to us or to others. Our members expect us to find a cooperative means of tackling the cause, not just the symptom,” said Khoury-Haq.

“Our partnership with The Hacking Games lets us reach talented young people early, guide their skills toward protection rather than harm, and open real paths into ethical work. When we expand opportunity we reduce risk, while having a positive impact on society.”

Fergus Hay, Co-founder and CEO of The Hacking Games, added: “There is an incredible amount of cyber talent out there – but many young people don’t see a path into the industry, or simply don’t realise their skills can be used for good. This partnership with Co-op will help unlock that potential. It’s about giving people the opportunity to do something positive, showing that their talents are valued and creating a generation of ethical hackers to make the world safer.”

Read more on this story

  • 22 April 2025: A cyber attack at M&S has caused significant disruption to customers, leaving them unable to make contactless payments or use click-and-collect services.
  • 24 April: M&S is still unable to provide contactless payment or click-and-collect services amid a cyber attack that it says has forced it to move a number of processes offline to safeguard its customers, staff and business.
  • 25 April: M&S shuts down online sales as it works to contain and mitigate a severe cyber attack on its systems.
  • 29 April: An infamous hacking collective may have been behind the ongoing cyber attack on M&S that has crippled systems at the retailer and left its ecommerce operation in disarray.
  • 30 April: A developing cyber incident at Co-op has forced the retailer to pull the plug on some of its IT systems as it works to contain the attack.
  • 1 May: Co-op tells staff to stop using their VPNs and be wary that their communications channels may be being monitored, as a cyber attack on the organisation continues to develop.
  • 1 May: Harrods confirms it is the latest UK retailer to experience a cyber attack, shutting off a number of systems in an attempt to lessen the impact.
  • 2 May: The National Cyber Security Centre confirms it is providing assistance to M&S, Co-op and Harrods as concerns grow among UK retailers.
  • 7 May: No end is yet in sight for UK retailers subjected to apparent ransomware attacks.
  • 13 May: M&S is instructing all of its customers to change their account passwords after a significant amount of data was stolen in a DragonForce ransomware attack.
  • 14 May: Google’s threat intel analysts are aware of a number of in-progress cyber attacks against US retailers linked to the same gang that supposedly attacked M&S and Co-op in the UK.
  • 20 May: Cold chain services provider Peter Green Chilled, which supplies the likes of Aldi, Sainsbury’s and Tesco, has been forced to halt operations after succumbing to a ransomware attack.
  • 11 June: So-called Black Swan events expose the blind spots in even the most sophisticated forecasting models, signaling a need to rethink how businesses, and those investing in them, quantify and prepare for cyber risk.
  • 13 June: The recent spate of cyber attacks on UK retailers has to be a wake-up call to build more cyber resilience into digital supply chains and fortify against social engineering attacks.
  • 17 June: Following a series of high-profile attacks on prominent retailers and consumer brands, a group of criminal hackers appears to be expanding their targeting to the insurance sector.
  • 20 June: The UK’s Cyber Monitoring Centre has published its first in-depth assessment of a major incident, reflecting on the impact of and lessons learned from cyber attacks on M&S and Co-op.
  • 27 June: Multiple reports are emerging of cyber attacks on airlines – Google Cloud’s Mandiant believes them to be linked.
  • 2 July: Australian flag carrier Qantas is investigating significant data theft of personal information for up to 6 million customers after a third-party platform used by its call centre was compromised.
  • 2 July: A developing cyber attack at Australian airline Qantas that started at a third-party call centre is already being tentatively attributed to the same gang that hit UK retailers. Find out more and learn about the next steps for those affected.
  • 8 July: The government should extend ransomware reporting mandates to businesses to help gather more intelligence and better support victims, says M&S chairman Archie Norman.
  • 9 July: Australian flag carrier begins notifying millions of individuals after a cyber attack on a call centre, confirming that while financial and passport details are safe, a significant volume of other personal information was compromised.
  • 10 July: Police have made four arrests in connection with a trio of cyber attacks on UK retailers Marks & Spencer, Co-op and Harrods.
  • 14 July: French luxury goods retailer LVMH has disclosed multiple cyber attacks in 2025 so far, and their impact is now spreading to the UK as a new incident affecting Louis Vuitton comes to light.
  • 16 July: Microsoft warns users over notable evolutions in Scattered Spider's attack playbook, and beefs up some of the defensive capabilities it offers to customers in response.

Read more on Data breach incident management and recovery