Retailer Co-op: Attackers snatched all 6.5M member records
(2025/07/16)
- Reference: 1752664807
- News link: https://www.theregister.co.uk/2025/07/16/coop_data_stolen/
- Source link:
Co-op Group's chief executive officer has confirmed that all 6.5 million of the organization's members had their data stolen during its April cyberattack - Scattered Spider is believed to be behind the digital heist.
Shirine Khoury-Haq confirmed the scale of the attack to the [1]BBC Breakfast show on Wednesday, adding that the member file is what the attackers copied, but were thwarted before they could deploy ransomware.
"The good thing was because we did block them, they could not erase what they did," she said.
[2]
"So we could monitor every mouse click, we saw every piece of code that they had written, we knew everywhere they went in our systems, and we were able to relay that back to the authorities."
[3]
[4]
For a £1 ($1.34) fee, Co-op members become a part-owner in the retailer, giving them a say in how the business is run, as well as access to exclusive deal and discounts.
Asked whether members should be concerned about their data being in the hands of the attackers and potentially posted online, Khoury-Haq said she understood that many would be uneasy about that fact, but much of the data that was copied was most likely "out there" anyway.
[5]
This appeared to be an allusion to the possibility that the data copied and stolen pertained to personal details such as names and contact details.
Co-op had previously confirmed that no financial or transaction data was affected.
"Honestly, I'm devastated that information was taken," the CEO added. "I'm also devastated by the impact that had on our colleagues as well as they tried to contain all of this.
[6]
"Early on, I met with our IT staff, and they were in the midst of it, and I will never forget the looks on their faces trying to fight off these criminals and protect our members' data, and trying to protect our organization as well. That will never leave me."
Khoury-Haq's television appearance came hours after the Co-op announced a partnership with The Hacking Games, a social impact business, which aims to identify [7]neurodiverse youth who may be vulnerable to drifting into cybercrime and channel their interests into pursuing ethical cybersecurity instead.
It said in an announcement that more than 50 percent of UK tech workers identify as neurodivergent, yet 71 percent of autistic adults in the UK are unemployed.
Co-op Group is chiefly known for its countrywide grocery stores and funeral parlors, but also runs Co-op Academies Trust, which oversees 38 Co-op-branded schools attended by 20,000 students.
The partnership aims to introduce initiatives to these students that inspire potential future cybersecurity offenders to put on the white hat in their chosen career path. The long-term ambition is that these efforts expand into the wider education system.
Greg Francis, cyber offender prevention consultant at 4D Cyber Security Ltd and former SOCA and NCA cybercrime investigator and prevention officer, said: "Unlike their offline counterparts, young people entering cybercrime receive little to no deterrents and are often left to self-police their online activities.
"There's a vital role for stakeholders – from parents and educators to search engines, gaming platforms and the cybersecurity industry – to embrace their digital responsibility and help young people make informed choices."
The National Crime Agency (NCA) [8]arrested four individuals aged between 17 and 20 as part of its investigation into the attacks on British retail companies (including M&S and Harrods, as well as the Co-op) last week.
It told The Register this week that all four had been bailed pending further investigations, and none had been charged at this stage.
Retail attacks 'a wake-up call'
Speaking to a parliamentary joint committee about the recently announced National Security Strategy, senior minister Pat McFadden said [9]the costly attacks on the retailers should serve as a wake-up call for both government and other organizations.
Asked about the potential impact had the April attacks hit two of the three biggest supermarket chains in the UK – Tesco, Sainsbury's, or Asda – instead of smaller ones like Co-op and M&S, McFadden said "who can say exactly," but assured robust protections are in place.
May 2025: A Co-op store in Manchester warns of food availability issues on half-stocked shelves
The main concerns expressed by committee members centered around access to food. While Co-op and M&S were both able to keep their stores open during their recovery periods, [10]empty or half-stocked shelves at some sites served as vivid reminders of how severe an attack on a grocer could be.
"I think that supermarkets have very robust food distribution systems," McFadden said. "I don't want to alarm the public here, but I would say those attacks did show the importance of strong cybersecurity, as I keep saying, in both public and private sectors.
"I don't want to sit here as a minister and say this is just a matter for the private sector, it's obviously not, it's a matter for all of us."
[11]NCA arrests four in connection with UK retail ransomware attacks
[12]Experts count staggering costs incurred by UK retail amid cyberattack hell
[13]M&S warns of £300M dent in profits from cyberattack
[14]British govt agents step in as Harrods becomes third mega retailer under cyberattack
On the topic of incentivization, which has been a [15]common discussion among cybersecurity folk in recent years , the Cabinet Office minister said he believes it is "really important" that discussions are had with critical infrastructure providers on which the public rely. These include but are not limited to banking, energy, and food distribution.
Asked whether these providers are properly incentivized to invest in securing their infrastructure, McFadden told the committee:
"I don't think you could ever say every risk is covered. But I think if you look at the experience of what has happened in the last couple of months, boards will be very conscious of the danger of this, seeing what it has done to a couple of Great British companies and household names in recent months." ®
Get our [16]Tech Resources
[1] https://www.bbc.co.uk/iplayer/episode/m002fx94/breakfast-16072025
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aHfMlYsJymEIiDBgnz4BxwAAAhc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aHfMlYsJymEIiDBgnz4BxwAAAhc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aHfMlYsJymEIiDBgnz4BxwAAAhc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aHfMlYsJymEIiDBgnz4BxwAAAhc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aHfMlYsJymEIiDBgnz4BxwAAAhc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2014/09/23/dyslexic_dyspraxic_no_probs_says_gchq/
[8] https://www.theregister.com/2025/07/10/nca_arrests_four_in_connection/
[9] https://www.theregister.com/2025/06/23/experts_count_the_staggering_costs/
[10] https://www.theregister.com/2025/05/21/ms_cyberattack_disruption/
[11] https://www.theregister.com/2025/07/10/nca_arrests_four_in_connection/
[12] https://www.theregister.com/2025/06/23/experts_count_the_staggering_costs/
[13] https://www.theregister.com/2025/05/21/ms_cyberattack_disruption/
[14] https://www.theregister.com/2025/05/02/ncsc_steps_in_as_harrods/
[15] https://www.theregister.com/2025/05/12/uks_cyber_agency_and_industry/
[16] https://whitepapers.theregister.com/
Shirine Khoury-Haq confirmed the scale of the attack to the [1]BBC Breakfast show on Wednesday, adding that the member file is what the attackers copied, but were thwarted before they could deploy ransomware.
"The good thing was because we did block them, they could not erase what they did," she said.
[2]
"So we could monitor every mouse click, we saw every piece of code that they had written, we knew everywhere they went in our systems, and we were able to relay that back to the authorities."
[3]
[4]
For a £1 ($1.34) fee, Co-op members become a part-owner in the retailer, giving them a say in how the business is run, as well as access to exclusive deal and discounts.
Asked whether members should be concerned about their data being in the hands of the attackers and potentially posted online, Khoury-Haq said she understood that many would be uneasy about that fact, but much of the data that was copied was most likely "out there" anyway.
[5]
This appeared to be an allusion to the possibility that the data copied and stolen pertained to personal details such as names and contact details.
Co-op had previously confirmed that no financial or transaction data was affected.
"Honestly, I'm devastated that information was taken," the CEO added. "I'm also devastated by the impact that had on our colleagues as well as they tried to contain all of this.
[6]
"Early on, I met with our IT staff, and they were in the midst of it, and I will never forget the looks on their faces trying to fight off these criminals and protect our members' data, and trying to protect our organization as well. That will never leave me."
Khoury-Haq's television appearance came hours after the Co-op announced a partnership with The Hacking Games, a social impact business, which aims to identify [7]neurodiverse youth who may be vulnerable to drifting into cybercrime and channel their interests into pursuing ethical cybersecurity instead.
It said in an announcement that more than 50 percent of UK tech workers identify as neurodivergent, yet 71 percent of autistic adults in the UK are unemployed.
Co-op Group is chiefly known for its countrywide grocery stores and funeral parlors, but also runs Co-op Academies Trust, which oversees 38 Co-op-branded schools attended by 20,000 students.
The partnership aims to introduce initiatives to these students that inspire potential future cybersecurity offenders to put on the white hat in their chosen career path. The long-term ambition is that these efforts expand into the wider education system.
Greg Francis, cyber offender prevention consultant at 4D Cyber Security Ltd and former SOCA and NCA cybercrime investigator and prevention officer, said: "Unlike their offline counterparts, young people entering cybercrime receive little to no deterrents and are often left to self-police their online activities.
"There's a vital role for stakeholders – from parents and educators to search engines, gaming platforms and the cybersecurity industry – to embrace their digital responsibility and help young people make informed choices."
The National Crime Agency (NCA) [8]arrested four individuals aged between 17 and 20 as part of its investigation into the attacks on British retail companies (including M&S and Harrods, as well as the Co-op) last week.
It told The Register this week that all four had been bailed pending further investigations, and none had been charged at this stage.
Retail attacks 'a wake-up call'
Speaking to a parliamentary joint committee about the recently announced National Security Strategy, senior minister Pat McFadden said [9]the costly attacks on the retailers should serve as a wake-up call for both government and other organizations.
Asked about the potential impact had the April attacks hit two of the three biggest supermarket chains in the UK – Tesco, Sainsbury's, or Asda – instead of smaller ones like Co-op and M&S, McFadden said "who can say exactly," but assured robust protections are in place.
May 2025: A Co-op store in Manchester warns of food availability issues on half-stocked shelves
The main concerns expressed by committee members centered around access to food. While Co-op and M&S were both able to keep their stores open during their recovery periods, [10]empty or half-stocked shelves at some sites served as vivid reminders of how severe an attack on a grocer could be.
"I think that supermarkets have very robust food distribution systems," McFadden said. "I don't want to alarm the public here, but I would say those attacks did show the importance of strong cybersecurity, as I keep saying, in both public and private sectors.
"I don't want to sit here as a minister and say this is just a matter for the private sector, it's obviously not, it's a matter for all of us."
[11]NCA arrests four in connection with UK retail ransomware attacks
[12]Experts count staggering costs incurred by UK retail amid cyberattack hell
[13]M&S warns of £300M dent in profits from cyberattack
[14]British govt agents step in as Harrods becomes third mega retailer under cyberattack
On the topic of incentivization, which has been a [15]common discussion among cybersecurity folk in recent years , the Cabinet Office minister said he believes it is "really important" that discussions are had with critical infrastructure providers on which the public rely. These include but are not limited to banking, energy, and food distribution.
Asked whether these providers are properly incentivized to invest in securing their infrastructure, McFadden told the committee:
"I don't think you could ever say every risk is covered. But I think if you look at the experience of what has happened in the last couple of months, boards will be very conscious of the danger of this, seeing what it has done to a couple of Great British companies and household names in recent months." ®
Get our [16]Tech Resources
[1] https://www.bbc.co.uk/iplayer/episode/m002fx94/breakfast-16072025
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aHfMlYsJymEIiDBgnz4BxwAAAhc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aHfMlYsJymEIiDBgnz4BxwAAAhc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aHfMlYsJymEIiDBgnz4BxwAAAhc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aHfMlYsJymEIiDBgnz4BxwAAAhc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aHfMlYsJymEIiDBgnz4BxwAAAhc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2014/09/23/dyslexic_dyspraxic_no_probs_says_gchq/
[8] https://www.theregister.com/2025/07/10/nca_arrests_four_in_connection/
[9] https://www.theregister.com/2025/06/23/experts_count_the_staggering_costs/
[10] https://www.theregister.com/2025/05/21/ms_cyberattack_disruption/
[11] https://www.theregister.com/2025/07/10/nca_arrests_four_in_connection/
[12] https://www.theregister.com/2025/06/23/experts_count_the_staggering_costs/
[13] https://www.theregister.com/2025/05/21/ms_cyberattack_disruption/
[14] https://www.theregister.com/2025/05/02/ncsc_steps_in_as_harrods/
[15] https://www.theregister.com/2025/05/12/uks_cyber_agency_and_industry/
[16] https://whitepapers.theregister.com/
Re: Brilliant
Doctor Syntax
It appears that she doesn't realise the difference between data and information. Some data might be "out there" (not necessarily every member's data) but that same data is now combined with other , Co-op specific, data which wasn't and such cominations turn it into information which is far more valuable and which wasn't out there but now is.
Tom Chiverton 1
And.... Anyone going to jail?
Anonymous Coward
Who knows? Any trial will be a long way off, the jails are full because the Tories wouldn't build any more, and when it gets to trial the defence will roll out thee usual sob stories and special circumstances that seem to cut so much ice with the "justice" system.
Lazlo Woodbine
Well, they've only just arrested the alleged perps, so we'll have to wait until after the trial...
funeral parlors!
Chris Evans
I've never heard of Undertakers in the UK being called "funeral parlors" we've enough Americanisms already thank you. Funeral Directors.
Re: funeral parlors!
Lazlo Woodbine
They've long been called funeral parlours in much of the UK, the only thing wrong is the spelling of parlour...
Anonymous Coward
It would be nice to see the RCA on the breach. I do wonder if its as a result of end-of-life software.
I see far too many companies out there that put off upgrading just to save money to bolster investor returns and C-Suite bonus's.
Handlebars
More up to date firms just leave S3 buckets unsecured
Doctor Syntax
The really up-to-date firms have supply chain attacks. Why leave an S3 bucket unsecured yourself when somebody you've never realised was in the chain can do it for you?
Doctor Syntax
The nature of the Co-op is such that the "investors" are the members as it says in the TFA.
Brilliant
Asked whether members should be concerned about their data being in the hands of the attackers and potentially posted online, Khoury-Haq said she understood that many would be uneasy about that fact, but much of the data that was copied was most likely "out there" anyway.
Brilliant. That should be framed.