Co-op Cyber Attack: Data of all 6.5 million Members Stolen

In April 2025, the Co-operative Group, who are home to more than 6.5 million members, experienced a major cyber attack which resulted in the personal data of every single member being stolen. The breach, confirmed by Co-op chief Shirine Khoury-Haq, is one of the largest and most extensive cyber incidents ever seen in the UK retail sector.

What happened?

On 30 April, attackers gained unauthorised access to core Co-op systems, where they had access to names, addresses, contact information and dates of birth for all 6.5 million members. While no financial or transaction data was compromised, such as bank account details, passwords or payment histories, the scale of the theft is still significant.

Once IT staff detected the breach, swift action was taken to disconnect internet access of impacted areas to prevent further damage. While this halted further escalation, the attackers had already siphoned off a significant volume of personal data pertaining to members.

By mid-May, Co-op was also hit by disruptions to contactless payments and call-centre systems, which is believed to have been caused by the incident. It took until late May for these issues to be resolved.

Who is behind the attack?

The Co-op attack has been linked to a hacking group called Scattered Spider, a collective with a growing record of targeting major UK retailers. They’re also believed to be behind the attacks on businesses such as Marks & Spencer, Adidas and Harrods.

Their primary method of attack, and the one used here, is known as a social engineering attack. This involves tricking people into giving up access, often by impersonating colleagues or support staff.

In this case, members of the group reportedly posed as legitimate employees and contacted the Co-op’s IT helpdesk. Using publicly available personal information, they convinced staff to reset internal passwords, giving them access to core systems.

In early July, four individuals were arrested in connection to this string of attacks, three males aged 17 to 19, and a 20-year-old woman. They were detained on suspicion of offences including unauthorised access to computer material, blackmail, and money laundering under the Computer Misuse Act.

Risk to impacted members

While no financial details or passwords were stolen in the Co-op breach, the exposure of personal data such as names, addresses, contact details and dates of birth still presents a significant risk to members. The most immediate threat is the increased likelihood of targeted phishing attacks.

Using the stolen data, cybercriminals can create more convincing messages that appear to come from trusted sources, increasing the likelihood that recipients will click links or share further information.

In addition to this, while not as likely, there is potentially a risk of impacted individuals becoming victims of identity theft. Criminals can use personal data to impersonate individuals, pass security checks, or even set up fraudulent accounts in their name. In particular, details like date of birth and home address are commonly used by organisations such as banks and mobile phone providers to verify identity, making the risk of misuse very real.

Perhaps most concerning is that some members may not realise the risk. Older or less tech-savvy individuals are often more vulnerable to being targeted, particularly when phishing messages are tailor-made using accurate personal information, such as that compromised in this attack. Even members who don’t recall joining the Co-op’s membership programme are still affected, as their details are most likely kept in their systems.

What are the key takeaways from this?

Incidents of this nature often act as cautionary tales for other organisations, even if they perhaps aren’t as large as those impacted:

Strong staff training and verification measures are key: In the case of the Co-op incident, attackers gained access through social engineering, impersonating staff and tricking helpdesks into resetting passwords. It’s vital that at all levels, but especially in IT support, staff receive regular training on how to spot attempted phishing and social engineering attacks.

Don’t underestimate low-risk personal data: Personal data such as names, dates of birth and contact details may seem harmless, but can be used to bypass security checks and target individuals with convincing scams. Organisations should implement the necessary security measures for all personal data they store and process.

Implement multi-factor authentication wherever possible: Adding a second layer of protection to internal systems and staff accounts significantly reduces the risk of unauthorised access, even if credentials are compromised. It helps ensure that only those with explicit permission to do so can access systems or areas where personal data is stored.

Review access controls and permissions regularly: Limiting who can access sensitive systems and ensuring those permissions are reviewed frequently will decrease the likelihood that an attacker can get away with accessing systems undetected. This is especially important for dormant accounts, such as those for staff who have left the business. While less relevant here, these can act as easy entry points, as they are less likely to be frequently monitored.

Prepare for breach response, not just prevention: Co-op’s swift isolation of systems helped contain the attack. Organisations should have a tested incident response plan in place so they can act quickly when breaches happen.

Demonstrate accountability by quickly informing impacted individuals: Delays in notifying those affected by a data breach can increase the risk of harm, especially in cases where personal data can be exploited for scams. It’s vital that quick action is taken and individuals are informed of the incident, what data was involved, what steps have been taken, and what individuals can do to protect themselves.

Next Steps

Cyber attacks like the one that Co-op were hit with demonstrate the need for organisations to remain compliant and keep the data they store and process secure.

Ensuring that you handle, process and store personal data in a way that’s in line with the law isn’t easy. To be confident that you’re compliant, and to address any concerns you may have, contact PRIVACY HELPER today, and let us remove the stress of managing data compliance in your business.

Dan Brooks-Tonkin

Dan Brooks-Tonkin is a Data Protection and Information Governance Apprentice at PRIVACY HELPER. PRIVACY HELPER is a pioneering data protection consultancy aimed at assisting companies in navigating the complexities of compliance with the new data protection legislation. Click here to learn about how PRIVACY HELPER can aid your business in an ever changing data protection landscape.