The Co-op has confirmed that the April 2025 cyber attack resulted in data theft on a significant number of customers after hackers breached its systems.
The UK retailer operates over 2,000 grocery stores, 800 funeral homes, and legal and financial businesses across the United Kingdom and select countries.
“We now know that the hackers were able to access and extract data from one of our systems,” the company told BleepingComputer. “The accessed data included information relating to a significant number of our current and past members.”
On April 30, 2025, the company was forced to shut down its IT systems after detecting unauthorized access, which occurred on April 22. A subsequent investigation determined that the unauthorized access resulted in data exposure.
The Co-op cyber attack resulted in data theft
Although the number of affected individuals remains unreported, the Co-op has apologized for the data theft of current and former mutual members stemming from the April cyber attack. The member-controlled mutual has over 6.2 million members, making the data theft significant.
The Co-op says the data theft leaked current and former members’ details, including names and contact details, which puts them at risk of targeted phishing attacks.
However, the data theft did not expose the victims’ account passwords, banking and financial information, such as banking account and credit card numbers, and transaction information. Customer and member information relating to any Co-op services was also not accessed.
Nonetheless, the UK retailer urged impacted victims to take usual precautionary measures to protect their accounts from exploitation. So far, the Co-op has no evidence that the attackers have misused the stolen data.
The company also disclosed that the cyber attack did not significantly disrupt trading operations, and members can continue trading as usual.
Meanwhile, the United Kingdom’s National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) are assisting the company to respond to the ongoing cyber attack.
“We are continuing to experience sustained malicious attempts by hackers to access our systems. This is a highly complex situation, which we continue to investigate in conjunction with the NCSC and the NCA,” the company stated.
The company has also implemented additional security measures to prevent further unauthorized access and disruptions stemming from the cyber attack.
UK retailers under attack
Similarly, the UK’s data regulator, the Information Commissioner’s Office (ICO), is looking into the Co-op and Marks & Spencer cyber attacks. Another UK retailer, Harrods, recently confirmed it also suffered a similar cyber attack, suspected to be linked to the same group victimizing other British retailers.
The NCSC is also concerned about the string of cyber attacks and has advised UK retailers to implement cybersecurity best practices, such as enabling multi-factor authentication (MFA) and monitoring, to prevent similar intrusions. However, it said it has yet to determine if they were linked to a single threat actor.
Meanwhile, it has emerged that the attackers applied social engineering tactics to reset an employee’s account password to gain access and traverse across the network.
They subsequently accessed the Windows NTDS.dit file, a Windows Active Directory Services (ADS) database that contains hashed account passwords, suggesting a high degree of sophistication.
Meanwhile, the Dragonforce ransomware operation has taken credit for the Co-op data theft and claimed the cyber attack was worse than reported. It claims to have stolen the data of more than 20 million people, and was responsible for the Harrods and Marks & Spencer cyber attacks.
