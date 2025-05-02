Co-op: Hackers extract personal data in breach

Hackers have claimed responsibility for a major cyber attack on the Co-op Group, telling the BBC they accessed and extracted personal data on millions of members and staff, in a breach that may be far more extensive than the company initially acknowledged.

The cyber criminal group, calling itself DragonForce, contacted BBC News with evidence of the breach, including screenshots of internal Microsoft Teams messages and video calls with Co-op’s head of cyber security. The group claimed it stole data belonging to around 20 million people who signed up to the Co-op’s membership scheme.

Co-op confirmed the breach on Friday, stating that “a significant number of our current and past members” were affected. However, the company has not verified the 20 million figure.

The group also claims to have obtained usernames and passwords for all Co-op employees. The BBC reported receiving a sample of 10,000 customer records from DragonForce, which included membership card numbers, names, addresses, phone numbers and email addresses. The BBC has since destroyed the data and is not publishing or sharing the information.

The Co-op said the stolen data did not include passwords, bank or credit card details, or transactional data related to customers or members’ products or services. In an updated statement issued after the BBC contacted them, the Co-op said it is working with the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) to investigate the breach.

The company had previously described the incident as having a “small impact” on its operations and said there was “no evidence that customer data was compromised”. But following the revelations from the hackers, Co-op disclosed further details of the breach to its staff and the stock market.

As a result of the internal systems breach, Co-op has reportedly introduced strict new protocols for staff, including keeping cameras on during Teams meetings, avoiding the recording or transcription of calls, and verifying all participants’ identities. These measures appear to be a response to the hackers’ ability to access internal chats and calls.

DragonForce is a ransomware group known for scrambling data and demanding payment to unlock it, as well as stealing data to pressure victims. It runs a cyber crime-as-a-service model, enabling others to carry out similar attacks using its tools. Security experts say the tactics used in the Co-op incident resemble those of a loosely organised English-speaking group known as Scattered Spider or Octo Tempest.

The group told the BBC it had sent an extortion message to the Co-op on 25 April, but refused to confirm what ransom was demanded or what it planned to do with the data if payment is not made.

DragonForce is also claiming responsibility for ongoing cyber attacks against M&S and an attempted breach of Harrods, although it declined to provide further details.

The Co-op employs around 70,000 people and operates more than 2,500 supermarkets, along with funeral homes and an insurance business.

In a statement, a Co-op spokesperson said: “Protecting the security of our members’ and customers’ data is a priority, and we are very sorry that this situation has arisen.”