UK retailer The Co-op has confirmed that over 6.5 million people were impacted by the April 2025 data breach, which was loosely attributed to the elusive English-speaking Scattered Spider cybercriminal gang.
“Their data was copied, and the criminals did have access to it like they do when they hack other organizations,” explained the Co-op’s CEO, Shirine Khoury-Haq. “That is the awful part of this unfortunately.”
Other UK retailers, Marks & Spencer and Harrods, were also impacted by the hacking campaign, which threatened to spread across Europe and the United States. German retailer Adidas was also a likely victim of the hacking campaign.
The cyber attack was also the subject of a multi-week investigation involving the U.K.’s National Crime Agency (NCA), its international law enforcement partners, including the FBI, and impacted stores, resulting in the arrest of four suspects.
UK retailer The Co-op’s data breach impacted 6.5 million people
In April 2025, the UK retailer proactively shut down certain IT systems to contain the cyber incident and prevent the threat actor from pivoting to other systems and deploying ransomware.
It also launched an investigation to determine the scope of the cyber incident. While the company initially downplayed the data breach, it later admitted that the threat actors exfiltrated personal data, impacting over 6.5 million people.
While the threat actors did not steal financial details, the exfiltrated personal information included extensive personal data.
“We now know that the hackers were able to access and extract data from one of our systems,” the company previously stated. “The accessed data included information relating to a significant number of our current and past members.”
However, the UK retailer’s CEO told the British media outlet that the data breach did not leak the victims’ financial information, which could expose them to fraud. Nevertheless, it leaked contact information, which threat actors could exploit to carry out targeted phishing attacks.
“There was no financial data, no transaction data but it was names and addresses and contact information that was lost,” Khoury-Haq added.
Apologizing for the data breach, the UK retailer’s CEO said the leak personally concerned her as well as her IT recovery team.
“Early on I met with our IT staff and they were in the midst of it,” she continued. “I will never forget the looks on their faces, trying to fight off these criminals.”
The UK retailer’s CEO also lamented that the stolen information was “out there,” suggesting that it had already been leaked to underground hacking forums.
“Honestly, I’m devastated that information was taken,” the CEO added. “I’m also devastated by the impact that had on our colleagues as well as they tried to contain all of this.”
Suspects arrested by UK authorities
Earlier, the Co-op’s spokesperson lauded the country’s National Crime Agency (NCA) for apprehending the suspects behind the UK retailer’s data breach and others, such as Marks & Spencer and Harrods.
Meanwhile, the apprehended individuals were released on bail pending further investigation. Nonetheless, authorities recovered numerous electronic devices that were undergoing digital forensic investigation to determine if the unhinged suspected cybercriminals were involved in the Co-op data breach.
That illegal cyber campaign was linked to the Scattered Spider operation under the DragonForce Ransomware-as-a-service (RaaS) operation, which also threatened to spread into the United States and the rest of Europe.
“The Co-op breach is another reminder that protecting sensitive customer data requires more than perimeter defenses,” noted David Stuart, Cybersecurity Evangelist, Sentra. “It demands full visibility into where data lives, what its security posture is, how it moves, and who can access it.”
He warned that retailers faced increased cyber risks due to customer information spreading across various cloud platforms, SaaS applications, and internal systems.
“Without continuous security assessment, threat monitoring, and strong access controls, personal data can be left vulnerable,” he continued. “To defend against breaches like this and uphold privacy, organizations must adopt a proactive and data-first security approach that protects sensitive information wherever it resides,” added Stuart.
