A major cyber attack on retail giant Co-op has compromised the personal data of potentially 20 million customers, hackers have claimed, in what is now being recognized as one of the most severe digital breaches in the UK retail sector.
The hacker group, calling itself DragonForce, contacted the BBC directly to assert that Co-op had significantly downplayed the scope of the intrusion. They provided screenshots and data samples to prove they had infiltrated internal systems, including Microsoft Teams chats and sensitive databases.
On Friday, following the BBC’s inquiry, a Co-op spokesperson confirmed that data from “a significant number of our current and past members” had been accessed.
This marks a stark shift from Co-op’s earlier statement, in which the company claimed only a “small impact” on its operations and denied that any customer data had been compromised.
DragonForce claims to have stolen names, addresses, phone numbers, email addresses, and Co-op membership card numbers for millions of customers. They also shared a cache of usernames and passwords allegedly belonging to Co-op employees.
The BBC, which received a sample of 10,000 customer records, verified the information but has since destroyed it.
“This data includes Co-op Group members’ personal data such as names and contact details, and did not include members’ passwords, bank or credit card details, transactions or information relating to any members’ or customers’ products or services with the Co-op Group,” a Co-op spokesperson said.
The cyber gang reportedly sent their first extortion message on April 25, targeting Co-op’s head of cybersecurity via internal chat.
The message read: “Hello, we exfiltrated the data from your company. We have customer database, and Co-op member card data.”
Internal sources confirmed that staff were subsequently instructed to keep cameras on during video meetings, refrain from recording calls, and verify attendees’ identities—measures understood to be direct responses to the hackers’ infiltration of internal communications.
DragonForce also claimed responsibility for an ongoing cyber attack on Marks & Spencer and an attempted breach at Harrods, though they declined to provide further details.
The group has a known presence on Telegram and Discord and operates a ransomware-as-a-service model, allowing affiliates to use their malicious tools.
Cybersecurity experts believe the group may be linked to the loosely organized collective known as Scattered Spider or Octo Tempest, whose members are often young and fluent in English.
The UK government has since urged all businesses to bolster their digital defenses. Minister for National Security Pat McFadden stated, “This incident is a sobering reminder that cybersecurity must be treated as an absolute priority. Businesses cannot afford to be complacent.”
In response to the breach, Co-op said earlier this week that it had shut down parts of its back-office and communications infrastructure. However, it says all stores, funeral homes, and insurance operations continue to function normally.
The National Cyber Security Centre (NCSC) and National Crime Agency (NCA) are now working with Co-op to investigate the incident.
Despite the scale of the attack, Co-op has not confirmed whether it will pay a ransom or what steps it will take if the stolen data is leaked online.
Customers and members have been reassured that no action is currently needed on their part, though further updates are expected as the investigation unfolds.
You must be logged in to post a comment.