In a significant cyber breach that rattled one of the United Kingdom's largest consumer cooperatives, Co-op has confirmed that the personal data of all its 6.5 million members was stolen during a cyberattack in April 2025. The revelation came from Co-op’s chief executive, Shirine Khoury-Haq, during a candid interview on BBC Breakfast on July 16, 2025. She expressed deep personal hurt over the incident, emphasizing the impact on both members and employees alike.
Khoury-Haq disclosed that the stolen data included sensitive personal details such as names, addresses, and contact information. However, she reassured the public that financial and transaction data were not compromised. "Their data was copied, the criminals did have access to it like they do when they hack organisations. That is the awful part of this," she stated, underscoring the severity of the breach.
The attack, which occurred on April 22, 2025, forced Co-op to shut down several IT systems to contain the threat and prevent the deployment of the DragonForce ransomware encryptor. Initial reports had downplayed the incident as a mere attempted intrusion, but subsequent investigations unveiled a more extensive security compromise. Sources revealed that the attackers executed a social engineering tactic to reset an employee’s password, which granted them entry into Co-op’s network. Once inside, they moved laterally across devices and stole the Windows domain’s NTDS.dit file—a critical database containing password hashes for Windows accounts. This file is a prized target for cybercriminals, enabling them to crack passwords offline and escalate their access within compromised networks.
Further investigations linked the attack to a notorious cybercrime group known as Scattered Spider, who were also implicated in a similar assault on Marks & Spencer (M&S) involving the same DragonForce ransomware. The BBC reported having spoken to an operator affiliated with DragonForce ransomware who confirmed that one of their affiliates was behind the Co-op attack and even shared samples of the stolen data.
The cyberattack had tangible consequences beyond data theft. It disrupted Co-op’s operations, leading to food shortages in its grocery stores and significant distress among staff. Khoury-Haq remarked that the breach felt like a personal attack—not on her, but on the colleagues and customers who were directly affected. "It was my colleagues. It was personal to me because it hurt them. It hurt my members. They took their data and it hurt our customers and that I do take personally," she said.
In response to the breach, the UK's National Crime Agency (NCA) conducted a series of arrests between July 7 and 13, 2025. Four individuals—two 19-year-old males, one 17-year-old male, and one 20-year-old female—were apprehended in London and the West Midlands. They face charges including offences under the Computer Misuse Act, blackmail, money laundering, and participation in an organised crime group. Notably, one suspect has been linked to a 2023 cyberattack on MGM Resorts, which involved encrypting over 100 VMware ESXi virtual machines, an operation also attributed to Scattered Spider in collaboration with the BlackCat ransomware group. All suspects have been released on bail pending further investigation.
Recognising the urgent need to bolster cyber defenses and prevent future incidents, Co-op has forged a partnership with The Hacking Games, an organisation that connects cybersecurity experts with emerging talent. This collaboration aims to tap into Co-op’s vast reach—covering every postcode in the UK, 38 Co-op Academy schools, and its 6.5 million members—to nurture young people’s cyber skills and channel them towards ethical hacking and cybercrime prevention.
Shirine Khoury-Haq articulated the motivation behind this initiative: "We know first-hand what it feels like to be targeted by cybercrime. The disruption it causes, the pressure it puts on colleagues, and the impact it has on the people and communities we serve. At Co-op, we can’t just stand back and hope it doesn’t happen again—to us or to others. Our members expect us to find a cooperative means of tackling the cause, not just the symptom. Our partnership with The Hacking Games lets us reach talented young people early, guide their skills toward protection rather than harm, and open real paths into ethical work. When we expand opportunity we reduce risk, while having a positive impact on society.”
The UK government has also highlighted the broader context of rising cyber threats. Security Minister Dan Jarvis commented on the alarming prevalence of cyberattacks, noting that over 40% of businesses reported experiencing a cybersecurity breach or attack in the past year. "Cybercrime destroys lives. The criminals carrying out these acts put the public and the economy at risk, and that’s why we’re continuing to take the decisive action necessary to keep UK jobs and businesses safe," Jarvis said. He stressed the importance of inspiring the next generation of cybersecurity professionals to detect, disrupt, and counter cybercrime, aligning with the government’s Plan for Change.
Jarvis further acknowledged that combating cybercrime requires a collective effort: "Combatting this issue will take a whole-of-society approach and we applaud all efforts to ensure that young people are diverted away from illicit behaviour online."
The Co-op cyberattack serves as a stark reminder of the vulnerabilities even large, well-established organisations face in the digital age. While financial data remained secure, the theft of personal information still poses significant risks to millions of individuals. It also underscores the evolving tactics of cybercriminals, who exploit social engineering and insider weaknesses to breach complex networks.
As investigations continue and the arrested suspects await trial, the Co-op’s proactive steps to engage with cybersecurity education and community outreach may set a precedent for how organisations respond to cyber threats. By fostering ethical hacking and empowering young talent, Co-op hopes to transform a painful breach into a catalyst for stronger, more resilient defences against the ever-present dangers of cybercrime.
