The Co-op Group, one of the UK’s largest retail cooperatives, has confirmed that hackers accessed the personal data of all 6.5 million of its members during a cyberattack in April 2025.
Chief Executive Shirine Khoury-Haq revealed that while names, addresses, and contact information were stolen, no financial details or transaction histories were compromised. The company quickly shut down its network to prevent ransomware from being deployed, but this action caused disruption across its back offices and stores.
This breach was part of a campaign targeting UK retailers, including Marks & Spencer and Harrods. Authorities have linked the attacks to a group called Scattered Spider, known for using social engineering to infiltrate corporate IT systems.
Additionally, the ransomware gang DragonForce has claimed responsibility for the Co-op incident, although this has not been independently confirmed.
UK law enforcement arrested four individuals aged 17 to 20 in July over the retail cyberattacks, with charges including hacking, blackmail, and involvement in organised crime. Since then, attackers have shifted their focus to other sectors holding large amounts of consumer data, such as airlines and insurance.
The financial consequences for the Co-op remain unclear. Reports suggest the Group did not have cybersecurity insurance at the time, potentially exposing it to significant costs.
The Co-op is currently working to restore normal operations across its 2,300 stores while cooperating with ongoing investigations.