UK retailer Co-op has confirmed that personal data of 6.5 million members was stolen in the massive cyberattack in April that shut down systems and caused food shortages in its grocery stores.
Co-op (short for the Co-operative Group) is one of the United Kingdom's largest consumer co-operatives, operating food stores, funeral services, insurance, and legal services. It is owned by millions of members who receive discounts on services and share in the company's governance.
Co-op's CEO, Shirine Khoury-Haq, apologized today on the BBC Breakfast show, confirming that the attackers successfully stole the data for all of its 6.5 million members.
"Their data was copied, and the criminals did have access to it like they do when they hack other organizations. That is the awful part of this unfortunately," said Khoury-Haq.
While no financial or transaction information was exposed in the attack, the contact information for its members was stolen.
The CEO said the breach felt like a personal attack, not on her, but rather on the Co-op's members and employees who were impacted.
"And it it's not about me. It was my colleagues. It was personal to me because it hurt them. It hurt my members. They took their data and it hurt our customers and that I do take personally," she explained in the interview.
The cyberattack occurred in April, forcing Co-op to shut down several IT systems to prevent the threat actors from further spreading to devices and ultimately deploying the DragonForce ransomware encryptor.
Initially downplayed as an attempted intrusion into its network, the company later confirmed that a “significant” amount of data was accessed and stolen during the attack.
Sources told BleepingComputer at the time that the breach initially occurred on April 22, after the threat actors conducted a social engineering attack that allowed them to reset an employee's password.
Once they gained access to the network, they spread to other devices and ultimately stole the Windows domain's Windows NTDS.dit file. This file is a database for Windows Active Directory Services that contains password hashes for Windows accounts.
Threat actors commonly steal this file to extract and crack passwords offline, allowing them to further spread to other devices on the network.
BleepingComputer was told that the attack was linked to threat actors associated with Scattered Spider, who were linked to the Marks & Spencer (M&S) cyberattack where the DragonForce ransomware was deployed.
The BBC reported that they spoke to the DragonForce ransomware operator about Co-op, who confirmed one of its affiliates was behind the attack. They also shared samples of data with the BBC, claiming that Co-op's corporate and customer data had been stolen during the attack.
Last week, the UK's National Crime Agency (NCA) arrested four people suspected of being involved in the attacks on Co-op, M&S, and an attempted one on Harrods.
The arrested individuals are two 19-year-old males, one 17-year-old male, and a 20-year-old female, who were apprehended in London and the West Midlands.
It is reported that one of the suspects arrested is linked to a 2023 attack on MGM Resorts that resulted in the encryption of over 100 VMware ESXi virtual machines.
The MGM attack was also attributed to Scattered Spider, who was working with the BlackCat ransomware operation at the time.
8 Common Threats in 2025
While cloud attacks may be growing more sophisticated, attackers still succeed with surprisingly simple techniques.
Drawing from Wiz's detections across thousands of organizations, this report reveals 8 key techniques used by cloud-fluent threat actors.
Related Articles:
M&S confirms social engineering led to massive ransomware attack
Qantas discloses cyberattack amid Scattered Spider aviation breaches
Service desks are under attack: What can you do about it?
Louis Vuitton says regional data breaches tied to same cyberattack
Four arrested in UK over M&S, Co-op, Harrods cyberattacks
Original Article Published at Bleeping Computer
________________________________________________________________________________________________________________________________
