The Co-op Group has confirmed that cybercriminals successfully stole personal data belonging to all 6.5 million of its members during a cyberattack in April 2025. The confirmation marks one of the most widespread retail data breaches in UK history.
Timeline of the Breach
The cyberattack against Co-op began in late April 2025. Initially, Co-op maintained there was “no evidence” that customer data had been compromised, but the criminal group contacted the BBC directly to prove otherwise, sharing sample data and screenshots of internal systems.
CEO Shirine Khoury-Haq said “I am incredibly sorry” and described the breach as “awful to have happened.” She confirmed that while no financial or transactional data was taken, names, addresses and contact information was accessed.
The stolen data includes:
- Full names of current and past members
- Postal addresses
- Phone numbers
- Email addresses
- Co-op membership card details
The breach did not include passwords, bank details, credit card information, or transaction histories.
Criminal Groups Behind the Attack
The attack involved a partnership between two distinct criminal operations working under a ransomware-as-a-service model.
DragonForce operates as a ransomware cartel that provides encryptor tools, data leak sites, and payment processing infrastructure. The group takes a cut of ransom payments (typically 20-30%) while handling the technical backend and claiming public credit for attacks.
Scattered Spider and similar affiliate groups perform the actual system infiltration work. These hackers specialize in impersonating IT staff over the phone to trick employees into revealing credentials, then deploy DragonForce’s ransomware tools to complete the attack.
The same criminal partnership targeted Marks & Spencer and Harrods in coordinated attacks during the same period. The M&S attack alone cost an estimated £300 million in lost revenue.
Arrests Made
On July 10, 2025, the National Crime Agency (NCA) arrested four individuals connected to the attacks. The suspects include two 19-year-old men, a 17-year-old male, and a 20-year-old woman, all arrested at their homes in the West Midlands and London.
They face charges including Computer Misuse Act offenses, blackmail, money laundering, and participating in organized crime. Police seized their electronic devices for forensic analysis.
These arrests likely target affiliate group members rather than DragonForce operators. Scattered Spider is known to be primarily English-speaking teenagers and young adults based in the UK and US, which matches the profile of those arrested.
Co-op’s Response
Co-op detected the intrusion and quickly shut down affected IT systems to prevent further damage. This decision likely stopped the attackers from deploying ransomware or accessing additional data, but caused significant operational problems:
- Contactless payment systems failed across food stores
- Customer service lines went down
- Back-office operations were disrupted
The company restored normal payment functionality by mid-May, about three weeks after the attack. Co-op confirmed they did not pay any ransom demand.
Impact on Members
Co-op has begun notifying affected members about the breach and is offering credit monitoring services. Members can check if their accounts show any suspicious activity and should be alert for phishing attempts that may use their stolen contact information.
